Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <aaIPX8vdZhmlp9at@256bit.org>
Date: Fri, 27 Feb 2026 22:40:47 +0100
From: Christian Brabandt <cb@...bit.org>
To: oss-security@...ts.openwall.com
Subject: [vim-security] Heap-based Buffer Underflow in Emacs tags parsing
 affects Vim < 9.2.0075

Heap-based Buffer Underflow in Emacs tags parsing affects Vim < 9.2.0075
========================================================================
Date: 27.02.2026
Severity: Medium
CVE: CVE-2026-28419
CWE: Heap-based Buffer Underflow (CWE-124) / Out-of-bounds Read (CWE-125)

### Summary
A heap-based buffer underflow exists in Vim's Emacs-style tags file 
parsing logic. When processing a malformed tags file where a delimiter 
appears at the start of a line, Vim attempts to read memory immediately 
preceding the allocated buffer.

### Description
The vulnerability is located in the `emacs_tags_parse_line()` function 
in `src/tag.c`. When parsing Emacs-style tags that use the "second 
format" (where the tag name is not explicitly provided), the code 
attempts to isolate the tag name by scanning backward from the `0x7f` 
delimiter.

If the `0x7f` delimiter is located at the very beginning of the line 
(`p_7f == lbuf`), the pointer arithmetic `p = p_7f - 1` results in a 
pointer that precedes the start of the heap-allocated buffer. The code 
then dereferences this pointer in the `vim_iswordc()` check before 
verifying the buffer bounds, leading to an out-of-bounds read.

### Impact
An attacker who induces a user to perform a tag lookup using a crafted 
Emacs tags file can trigger a 1-byte out-of-bounds read. This can lead 
to a crash (Denial of Service).

The severity is rated **medium** because it is a 1-byte read-only 
underflow and requires user interaction with a malicious file.

### Acknowledgements
The Vim project would like to thank GitHub users ehdgks0627 and 
un3xploitable for identifying the vulnerability and providing a 
proof-of-concept.

### References
The issue has been fixed as of Vim patch 
[v9.2.0075](https://github.com/vim/vim/releases/tag/v9.2.0075).

[Commit](https://github.com/vim/vim/commit/9b7dfa2948c9e1e5e32a5812)
[Github Advisory](https://github.com/vim/vim/security/advisories/GHSA-xcc8-r6c5-hvwv)

Thanks,
Christian
-- 
Ein edler Mensch zieht edle Menschen an und weiß sie festzuhalten.
		-- Johann Wolfgang von Goethe (Torquato Tasso)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.