Zero Day MonitorZDM

← Back to list

5.3

CVE-2026-28419PATCHED

vim · vim

Vim is an open source, command line text editor. Prior to version 9.2.0075, a heap-based buffer underflow exists in Vim's Emacs-style tags file parsing logic. When processing a malformed tags file whe

Description

Vim is an open source, command line text editor. Prior to version 9.2.0075, a heap-based buffer underflow exists in Vim's Emacs-style tags file parsing logic. When processing a malformed tags file where a delimiter appears at the start of a line, Vim attempts to read memory immediately preceding the allocated buffer. Version 9.2.0075 fixes the issue.

Affected Products

Vendor	Product	Versions
vim	vim	< 9.2.0075

Also Affects

Downstream vendors/products affected by this vulnerability

Vendor	Product	Source	Confidence
canonical	ubuntu linux	cert_advisory	90%
fedora	fedora linux	cert_advisory	90%
open source	vim	cert_advisory	90%
su	suse linux	cert_advisory	90%
su	suse opensuse	cert_advisory	90%

References

https://github.com/vim/vim/commit/9b7dfa2948c9e1e5e32a5812(Patch)
https://github.com/vim/vim/releases/tag/v9.2.0075(Product)
https://github.com/vim/vim/security/advisories/GHSA-xcc8-r6c5-hvwv(Patch, Vendor Advisory)
http://www.openwall.com/lists/oss-security/2026/02/27/8(Mailing List, Patch, Third Party Advisory)

Related News (1 articles)

Tier B

BSI Advisories2d ago

[UPDATE] [mittel] vim: Mehrere Schwachstellen

→ No new info (linked only)

CVSS 3.15.3 MEDIUM

VectorCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

CISA KEV❌ No

Actively exploited❌ No

Patch available

9.2.0075

CWECWE-124, CWE-125

PublishedFeb 27, 2026

Last enriched7h ago

Trending Score15

Source articles1

Independent1

Info Completeness9/14

Missing: epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

CRITICALCVE-2026-34714

Vim before 9.2.0272 allows code execution that happens immediately upon opening a crafted file in the default configuration, because %{expr} injection occurs with tabpanel lacking P_MLE.

MEDIUMCVE-2026-25749

Vim is an open source, command line text editor. Prior to version 9.1.2132, a heap buffer overflow vulnerability exists in Vim's tag file resolution logic when processing the 'helpfile' option. The vu

MEDIUMCVE-2026-33412

Vim is an open source, command line text editor. Prior to version 9.2.0202, a command injection vulnerability exists in Vim's glob() function on Unix-like systems. By including a newline character (\n

MEDIUMCVE-2026-28420

Vim is an open source, command line text editor. Prior to version 9.2.0076, a heap-based buffer overflow WRITE and an out-of-bounds READ exist in Vim's terminal emulator when processing maximum combin

MEDIUMCVE-2026-28421

Vim is an open source, command line text editor. Versions prior to 9.2.0077 have a heap-buffer-overflow and a segmentation fault (SEGV) exist in Vim's swap file recovery logic. Both are caused by unva

Pin to Dashboard

Verification

State: verified

Confidence: 100%

Vulnerability Timeline

CVE Published

Feb 27, 2026

Patch Available

Mar 4, 2026

Discovered by ZDM

Apr 1, 2026