Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CAG-20GToEuBW5jHN2kMj3avJn8ay7uEPqSwbnNSdx_OmnePwgA@mail.gmail.com>
Date: Thu, 14 May 2026 11:16:57 +0800
From: Tianyu Chen <billchenchina2001@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: [vim-security] Heap Buffer Overflow in spell file
 loading affects Vim < 9.2.0450

According to GHSA, this has been assigned CVE-2026-45130.

Best Regards,
Tianyu Chen


Christian Brabandt <cb@...bit.org> 于2026年5月8日周五 03:14写道：

> Heap Buffer Overflow in spell file loading affects Vim < 9.2.0450
> =================================================================
> Date: 07.05.2026
> Severity: Medium
> CVE: *requested, not yet assigned*
> CWE: Integer Overflow or Wraparound (CWE-190) leading to Heap-based Buffer
> Overflow (CWE-122)
>
> ## Summary
> A heap buffer overflow exists in `read_compound()` in `src/spellfile.c`
> when loading a crafted spell file (`.spl`) with UTF-8 encoding active.
> An attacker-controlled length field in the spell file's compound section
> overflows a 32-bit signed integer multiplication, causing a small buffer
> to be allocated for a write loop that runs many iterations, overflowing
> the heap.  Because the `'spelllang'` option can be set from a modeline,
> a text file modeline can trigger spell file loading if a malicious
> `.spl` file has been planted on the runtimepath.
>
> ## Description
> In `read_compound()` (`src/spellfile.c`), the buffer size for the regex
> pattern `pat` is computed from the attacker-controlled `sectionlen`
> field of an `SN_COMPOUND` section.  Both `todo` and the size variable
> `c` are declared as `int`:
>
>     c = todo * 2 + 7;
>     if (enc_utf8)
>         c += todo * 2;
>     pat = alloc(c);
>
> When `todo` is sufficiently large (e.g. `0x40000005`), the multiplication
> `todo * 4 + 7` overflows the 32-bit signed integer and wraps to a small
> positive value (e.g. 27).  `alloc(27)` succeeds, but the subsequent loop
> iterates `todo` (~1 billion) times, writing bytes into the 27-byte
> buffer and corrupting adjacent heap memory.
>
> The overflow only manifests when UTF-8 encoding is active (`enc_utf8`).
> Without it, the intermediate value remains negative, sign-extends to a
> huge `size_t`, and `alloc()` returns NULL harmlessly.  UTF-8 is the
> default on virtually all modern Linux and macOS systems.
>
> A modeline in an unrelated text file can set `'spelllang'` and enable
> `'spell'`, causing Vim to load a spell file under the attacker's control
> if one has been planted on the runtimepath (e.g. `~/.vim/spell/`).
>
> ## Impact
> The vulnerability allows a heap buffer overflow of approximately 75
> bytes with partially attacker-controlled content when Vim loads a
> crafted spell file under UTF-8 encoding.  The practical impact is a
> crash of the Vim process (denial of service).
>
> Exploitation requires a malicious `.spl` file to be present on the
> runtimepath and the victim to either:
>
> - explicitly enable spell checking with the matching language, or
> - open any text file containing a modeline that sets `'spelllang'`
>   and enables `'spell'`, while `'modeline'` is enabled.
>
> The severity is rated Medium because exploitation requires both a
> planted spell file and a separate triggering action by the victim, and
> the practical outcome is a crash rather than code execution.
>
> ## Acknowledgements
> The Vim project would like to thank Daniel Cervera (@daniel-msft) of
> Microsoft Security Engineering for reporting and analyzing the issue and
> suggesting a fix.
>
> ## References
> The issue has been fixed as of Vim patch [v9.2.0450](
> https://github.com/vim/vim/releases/tag/v9.2.0450).
> - [Commit](
> https://github.com/vim/vim/commit/92993329178cb1f72d700fff45ca86e1c2d369f8
> )
> - [Github Security Advisory](
> https://github.com/vim/vim/security/advisories/GHSA-q4jv-r9gj-6cwv)
>
>
>
> Best,
> Christian
> --
> Man soll die Wahrheit mehr als sich selbst lieben, aber seinen
> Nächsten mehr als die Wahrheit.
>                 -- Romain Rolland
>

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.