CVE-2026-32249

Published: Mar 12, 2026

Modified: Mar 13, 2026

PUBLISHED

CVSS v3.1

5.3

MEDIUM

Description

Vim is an open source, command line text editor. From 9.1.0011 to before 9.2.0137, Vim's NFA regex compiler, when encountering a collection containing a combining character as the endpoint of a character range (e.g. [0-0\u05bb]), incorrectly emits the composing bytes of that character as separate NFA states. This corrupts the NFA postfix stack, resulting in NFA_START_COLL having a NULL out1 pointer. When nfa_max_width() subsequently traverses the compiled NFA to estimate match width for the look-behind assertion, it dereferences state->out1->out without a NULL check, causing a segmentation fault. This vulnerability is fixed in 9.2.0137.

Vendor	Product	Versions
vim	vim	affected `>= 9.1.0011, < 9.2.0137`

Weaknesses (CWE)

CWE-476

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

Low

References

https://github.com/vim/vim/security/advisories/GHSA-9phh-423r-778r

x_refsource_CONFIRM

https://github.com/vim/vim/commit/36d6e87542cf823d833e451e09a90ee429899cec

x_refsource_MISC

https://github.com/vim/vim/releases/tag/v9.2.0137

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-32249

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References