Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <aaIPbS8JzoWltKS3@256bit.org>
Date: Fri, 27 Feb 2026 22:41:01 +0100
From: Christian Brabandt <cb@...bit.org>
To: oss-security@...ts.openwall.com
Subject: [vim-security] Heap-based Buffer Overflow and OOB Read in :terminal
 affects Vim < 9.2.0076

Heap-based Buffer Overflow and OOB Read in :terminal affects Vim < 9.2.0076
===========================================================================
Date: 27.02.2026
Severity: Moderate
CVE: CVE-2026-28420
CWE: Heap-based Buffer Overflow (CWE-122) / Out-of-bounds Read (CWE-125)

### Summary
A heap-based buffer overflow WRITE and an out-of-bounds READ exist in 
Vim’s terminal emulator when processing maximum combining characters 
from Unicode supplementary planes.

### Description
The vulnerabilities are located in handle_pushline() in src/terminal.c. 

1) Heap Overflow: Vim reserves 21 bytes (MB_MAXBYTES) per cell via 
ga_grow(). This assumes characters stay within the BMP (3 bytes max). 
However, a cell can contain up to 6 characters from supplementary planes 
(4 bytes each). This requires 24 bytes, causing a 3-byte heap overflow 
during conversion.

2) OOB Read: The loop iterating over cell characters fails to check the 
boundary of the vterm_screen_cell_t.chars array. When a cell is fully 
populated, the loop condition reads index 6 of a 6-element array.

### Impact
An attacker who can control the output of a program running inside a Vim 
:terminal buffer can trigger a heap buffer overflow. This can result in 
a crash (Denial of Service) or potential memory corruption.

### Acknowledgements
The Vim project would like to thank the reporter Github users ehdgks0627 
and un3xploitable for identifying the vulnerability and providing a 
proof-of-concept.

### References
The issue has been fixed as of Vim patch 
[v9.2.0076](https://github.com/vim/vim/releases/tag/v9.2.0076)

[Commit](https://github.com/vim/vim/commit/bb6de2105b160e729c34063)
[Github Advisory](https://github.com/vim/vim/security/advisories/GHSA-rvj2-jrf9-2phg)

Thanks,
Christian
-- 
Bei uns wird Hand in Hand gearbeitet: Was die eine nicht schafft, läßt
die andere liegen. Was keiner kann, das kann ich auch!

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.