Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <abG84F0/uwem7Qe2@256bit.org>
Date: Wed, 11 Mar 2026 20:05:04 +0100
From: Christian Brabandt <cb@...bit.org>
To: oss-security@...ts.openwall.com
Subject: [vim-security] NFA regex engine NULL pointer dereference affects Vim
 < 9.2.0137



NFA regex engine NULL pointer dereference affects Vim < 9.2.0137
================================================================
Date: 11.03.2026
Severity: Moderate
CVE: *not-yet-assigned*
CWE: NULL Pointer Dereference (CWE-476)

## Summary

A NULL pointer dereference occurs in `nfa_max_width()` when the NFA regex
engine processes a look-behind assertion containing a collection with a
combining Unicode character as a range endpoint.

## Description

Vim's NFA regex compiler, when encountering a collection containing a
combining character as the endpoint of a character range (e.g.
`[0-0\u05bb]`), incorrectly emits the composing bytes of that character
as separate NFA states. This corrupts the NFA postfix stack, resulting in
`NFA_START_COLL` having a NULL `out1` pointer. When `nfa_max_width()`
subsequently traverses the compiled NFA to estimate match width for the
look-behind assertion, it dereferences `state->out1->out` without a NULL
check, causing a segmentation fault.

The bug was introduced by patch [9.1.0011](https://github.com/vim/vim/commit/d2cc51f9a1a5a30ef5d2e732f49d7f495cae24cf).

## Impact

Any user or process that can supply a regex pattern to Vim - including via
plugins or command-line arguments - can trigger a crash.

## Acknowledgements

The Vim project would like to thank  Nathan Mills for identifying the
vulnerability through fuzzing and providing a minimal reproducer and detailed analysis.

## References

The issue has been fixed as of Vim patch [v9.2.0137](https://github.com/vim/vim/releases/tag/v9.2.0137)
- [Commit](https://github.com/vim/vim/commit/36d6e87542cf823d833e451e09a90ee429899cec)
- [GitHub Advisory](https://github.com/vim/vim/security/advisories/GHSA-9phh-423r-778r)

Thanks,
Christian
-- 
Nun kommt es im Leben darauf an, wer eine Wahrheit ausspricht. In
gewissen Munde wird auch Wahrheit zu Lüge.
		-- Thomas Mann

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.