Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <aaIPVDjoNGmseZIp@256bit.org>
Date: Fri, 27 Feb 2026 22:40:36 +0100
From: Christian Brabandt <cb@...bit.org>
To: oss-security@...ts.openwall.com
Subject: [vim-security] Heap-based Buffer Overflow in Emacs tags parsing
 affects Vim < 9.2.0074

Heap-based Buffer Overflow in Emacs tags parsing affects Vim < 9.2.0074
======================================================================
Date: 27.02.2026
Severity: Low
CVE: CVE-2026-28418
CWE: Heap-based Buffer Overflow (CWE-122) / Out-of-bounds Read (CWE-125)

### Summary
A heap-based buffer overflow out-of-bounds read exists in Vim's 
Emacs-style tags file parsing logic. When processing a malformed tags 
file, Vim can be tricked into reading up to 7 bytes beyond the allocated 
memory boundary.

### Description
The vulnerability is located in the `emacs_tags_new_filename()` 
function. When Vim encounters a section header in an Emacs-style tags 
file, it reads the following line into a fixed 512-byte heap buffer.

The code then searches for a comma delimiter to separate the filename 
from the section metadata. If a crafted tags file provides a line 
exceeding the buffer capacity without a comma, the search loop reaches 
the end of the allocation. 

Because the code assumes a comma was found, it proceeds to check for an 
"include" directive by accessing memory immediately following the buffer 
boundary. This results in an out-of-bounds read of up to 7 bytes.

### Impact
The vulnerability allows for an out-of-bounds heap read. An attacker who 
induces a user to perform a tag lookup using a crafted Emacs tags file 
(e.g., in a malicious repository) can crash Vim.

The severity is rated **low** because it is a read-only overflow and 
requires the user to load and interact with a malicious emacs tags file.

### Acknowledgements
The Vim project would like to thank the reporter Github users ehdgks0627 
and un3xploitable for identifying the vulnerability and providing a 
proof-of-concept.

### References
The issue has been fixed as of Vim patch 
[v9.2.0074](https://github.com/vim/vim/releases/tag/v9.2.0074).

[Commit](https://github.com/vim/vim/commit/f6a7f469a9c0d09e84cd6cb)
[Github Advisory](https://github.com/vim/vim/security/advisories/GHSA-h4mf-vg97-hj8j)

Thanks
Christian
-- 
Ein einziger Aufwiegler taugt manchmal mehr als alle Abwiegler
zusammen.
		-- Georg Büchner

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.