Zero Day MonitorZDM

← Back to list

5.4

CVE-2026-26269PATCHED

vim · vim

Vim is an open source, command line text editor. Prior to 9.1.2148, a stack buffer overflow vulnerability exists in Vim's NetBeans integration when processing the specialKeys command, affecting Vim bu

Description

Vim is an open source, command line text editor. Prior to 9.1.2148, a stack buffer overflow vulnerability exists in Vim's NetBeans integration when processing the specialKeys command, affecting Vim builds that enable and use the NetBeans feature. The Stack buffer overflow exists in special_keys() (in src/netbeans.c). The while (*tok) loop writes two bytes per iteration into a 64-byte stack buffer (keybuf) with no bounds check. A malicious NetBeans server can overflow keybuf with a single specialKeys command. The issue has been fixed as of Vim patch v9.1.2148.

Affected Products

Vendor	Product	Versions
vim	vim	< 9.1.2148

Also Affects

Downstream vendors/products affected by this vulnerability

Vendor	Product	Source	Confidence
canonical	ubuntu linux	cert_advisory	90%
fedora	fedora linux	cert_advisory	90%
open source	vim	cert_advisory	90%
su	suse linux	cert_advisory	90%
su	suse opensuse	cert_advisory	90%

References

https://github.com/vim/vim/commit/c5f312aad8e4179e437f81ad39a860cd0ef11970(Patch)
https://github.com/vim/vim/releases/tag/v9.1.2148(Release Notes)
https://github.com/vim/vim/security/advisories/GHSA-9w5c-hwr9-hc68(Patch, Vendor Advisory)
http://www.openwall.com/lists/oss-security/2026/02/13/2(Mailing List, Patch, Third Party Advisory)

Related News (1 articles)

Tier B

BSI Advisories5d ago

[UPDATE] [mittel] vim (NetBeans): Schwachstelle ermöglicht Codeausführung

→ No new info (linked only)

CVSS 3.15.4 MEDIUM

VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L

CISA KEV❌ No

Actively exploited❌ No

Patch available

9.1.2148

CWECWE-121

PublishedFeb 13, 2026

Last enriched6d ago

Trending Score11

Source articles1

Independent1

Info Completeness9/14

Missing: epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

CRITICALCVE-2026-35177EXP

Path traversal issue with zip.vim in Vim

HIGHCVE-2026-34982

Vim modeline bypass via various options affects Vim < 9.2.0276

CRITICALCVE-2026-34714EXP

CVE-2026-34714: Vim before 9.2.0272 allows code execution that happens immediately upon opening a crafted file in the default configurat

MEDIUMCVE-2026-33412

Vim is an open source, command line text editor. Prior to version 9.2.0202, a command injection vulnerability exists in Vim's glob() function on Unix-like systems. By including a newline character (\n

Netbeans Command Injection in Vim

Pin to Dashboard

Verification

State: verified

Confidence: 100%

Vulnerability Timeline

CVE Published

Feb 13, 2026

Patch Available

Feb 18, 2026

Discovered by ZDM

Apr 1, 2026