Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <aaIPd0B3Nz0z1OAw@256bit.org>
Date: Fri, 27 Feb 2026 22:41:11 +0100
From: Christian Brabandt <cb@...bit.org>
To: oss-security@...ts.openwall.com
Subject: [vim-security] Multiple Vulnerabilities in Swap File Recovery affect
 Vim < 9.2.0077

Multiple Vulnerabilities in Swap File Recovery affect Vim < 9.2.0077
====================================================================
Date: 27.02.2026
Severity: Moderate
CVE: CVE-2026-28421
CWE: Heap-based Buffer Overflow (CWE-122) / Improper Input Validation (CWE-20)

### Summary
A heap-buffer-overflow and a segmentation fault (SEGV) exist in Vim's 
swap file recovery logic. Both are caused by unvalidated fields read 
from crafted pointer blocks within a swap file.

### Description
During swap file recovery, ml_recover() reads pointer block entries 
(pe_bnum, pe_line_count, pe_page_count, etc.) directly from the file.

1) Heap Overflow: If a crafted swap file provides bogus block numbers 
(`pe_bnum`) or page counts (`pe_page_count`) that exceed the swap file 
size, `mf_get()` fails. Vim attempts to recover by appending "???MANY 
LINES MISSING" via ml_append(). A crafted file can trigger this enough 
times to overflow the db_index array in the current data block.

2) SEGV: If `pe_bnum` is negative, Vim attempts to read from the 
original file using `readfile()`. Because the offsets (`pe_old_lnum`) 
and counts (`pe_line_count`) from the swap file are not validated, Vim 
passes garbage parameters to `readfile()`, resulting in a segmentation 
fault.

### Impact
An attacker who can provide a crafted swap file to a user (e.g., via a 
shared project directory) can trigger a crash or potentially execute 
arbitrary code when the user attempts to recover the file.

### Acknowledgements
The Vim project would like to thank the reporter Github users ehdgks0627 
and un3xploitable for identifying the vulnerability and providing a 
proof-of-concept.

### References
The issue has been fixed as of Vim patch 
[v9.2.0077](https://github.com/vim/vim/releases/tag/v9.2.0077)

[Commit](https://github.com/vim/vim/commit/65c1a143c331c886dc28)
[Github Advisory](https://github.com/vim/vim/security/advisories/GHSA-r2gw-2x48-jj5p)

Thanks,
Christian
-- 
Heißt der Bildschirm Bildschirm, weil er Bilder abschirmt?

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.