Zero Day MonitorZDM

← Back to list

5.3

CVE-2026-32249PATCHED

vim · vim

Vim is an open source, command line text editor. From 9.1.0011 to before 9.2.0137, Vim's NFA regex compiler, when encountering a collection containing a combining character as the endpoint of a charac

Description

Vim is an open source, command line text editor. From 9.1.0011 to before 9.2.0137, Vim's NFA regex compiler, when encountering a collection containing a combining character as the endpoint of a character range (e.g. [0-0\u05bb]), incorrectly emits the composing bytes of that character as separate NFA states. This corrupts the NFA postfix stack, resulting in NFA_START_COLL having a NULL out1 pointer. When nfa_max_width() subsequently traverses the compiled NFA to estimate match width for the look-behind assertion, it dereferences state->out1->out without a NULL check, causing a segmentation fault. This vulnerability is fixed in 9.2.0137.

Affected Products

Vendor	Product	Versions
vim	vim	< 9.1.0137

Also Affects

Downstream vendors/products affected by this vulnerability

Vendor	Product	Source	Confidence
canonical	ubuntu linux	cert_advisory	90%
open source	vim	cert_advisory	90%

References

https://github.com/vim/vim/commit/36d6e87542cf823d833e451e09a90ee429899cec(Patch)
https://github.com/vim/vim/releases/tag/v9.2.0137(Release Notes)
https://github.com/vim/vim/security/advisories/GHSA-9phh-423r-778r(Vendor Advisory)

Related News (1 articles)

Tier B

BSI Advisories1d ago

[UPDATE] [mittel] vim: Schwachstelle ermöglicht Denial of Service

→ No new info (linked only)

CVSS 3.15.3 MEDIUM

VectorCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

CISA KEV❌ No

Actively exploited❌ No

Patch available

9.1.0137

CWECWE-476

PublishedMar 12, 2026

Last enriched1d agov2

Tags

Denial of Service

Trending Score20

Source articles1

Independent1

Info Completeness9/14

Missing: epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

Command injection via backtick expansion in tag filenames in Vim

HIGHCVE-2026-34982

Vim modeline bypass via various options affects Vim < 9.2.0276

MEDIUMCVE-2026-39881

Vim Ex command injection in Vims NetBeans integration

CRITICALCVE-2026-35177EXP

Path traversal issue with zip.vim in Vim

MEDIUMCVE-2026-33412

Vim is an open source, command line text editor. Prior to version 9.2.0202, a command injection vulnerability exists in Vim's glob() function on Unix-like systems. By including a newline character (\n

Pin to Dashboard

Verification

State: verified

Confidence: 100%

Vulnerability Timeline

CVE Published

Mar 12, 2026

Patch Available

Mar 18, 2026

Discovered by ZDM

Apr 1, 2026

Updated: tags

Apr 14, 2026

Version History

v2

Last enriched 1d ago

v2Tier B1d ago

Updated description to include Denial of Service attack capability and marked exploit as available and actively exploited.

tags

via BSI Advisories

v114d ago

Initial creation