CVE-2026-55693
Severity CVSS v4.0:
MEDIUM
Type:
CWE-787
Out-of-bounds Write
Publication date:
25/06/2026
Last modified:
26/06/2026
Description
Vim is an open source, command line text editor. Prior to 9.2.0653, the tree_count_words() function in src/spellfile.c fills in the word-count fields of a spell-file word trie by walking it iteratively with a depth counter. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (arridx[], curi[], wordcount[]). A crafted .spl/.sug file pair, loaded when the user invokes spell suggestion, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0653.
Impact
Base Score 4.0
5.70
Severity 4.0
MEDIUM
Base Score 3.x
7.80
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:vim:vim:*:*:*:*:*:*:*:* | 9.2.0653 (excluding) |
To consult the complete list of CPE names with products and versions, see this page



