Vim fixes spell file parser flaws that can crash editors via malicious `.spl` files
Vim disclosed and patched multiple medium-severity memory-safety vulnerabilities in its spell file parser that can be triggered by a crafted .spl spell file placed on the runtimepath. The first issue, tracked as CVE-2026-45130, affects Vim versions earlier than 9.2.0450 and stems from an integer overflow in read_compound() in src/spellfile.c when UTF-8 spell data is loaded. A malicious SN_COMPOUND length can cause an undersized heap allocation followed by out-of-bounds writes, leading primarily to a crash when a user enables spell checking or opens a file whose modeline sets spelllang and spell; Vim noted denial of service as the practical impact, though the advisory said code execution might be possible in some conditions. Daniel Cervera of Microsoft Security Engineering reported the flaw, and Vim fixed it by adding stricter bounds checks and safer allocation handling in patch 9.2.0450.
Vim later disclosed three additional spell parser bugs affecting versions earlier than 9.2.0513: a heap out-of-bounds read caused by uninitialized shared-node targets, a one-byte heap out-of-bounds read in word-counting logic, and a stack overflow from uncontrolled recursion in read_tree_node(). As with the earlier bug, exploitation requires a malicious spell file on the runtimepath and user-triggered spell loading, including via modelines. Vim rated the newer issues Medium severity and said the likely outcome is editor crashes and limited unintended reads of adjacent or uninitialized heap data rather than reliable code execution, underscoring ongoing risk in the application's spell file parsing path.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Vim fixes three additional spell parser memory-safety flaws in patch 9.2.0513
Vim disclosed and fixed three related memory-safety issues in its spell file parser affecting versions earlier than 9.2.0513: a heap out-of-bounds read from uninitialized shared-node targets, a one-byte heap out-of-bounds read in word counting logic, and a stack overflow from uncontrolled recursion in read_tree_node(). Vim rated the issues Medium severity and said a crafted .spl file could trigger crashes or limited unintended data exposure.
CVE-2026-45130 assigned to Vim spell file heap overflow
The previously disclosed Vim spell file loading vulnerability was assigned CVE-2026-45130 in the GitHub Security Advisory. The advisory tied the CVE to the heap overflow in read_compound() affecting Vim versions before 9.2.0450.
Vim discloses spell file heap overflow affecting versions before 9.2.0450
Vim publicly disclosed a medium-severity heap buffer overflow affecting versions earlier than 9.2.0450 when loading crafted UTF-8 spell files from the runtimepath. The issue, reported by Daniel Cervera of Microsoft Security Engineering, could crash Vim and was described primarily as a denial-of-service vulnerability.
Vim fixes heap buffer overflow in spell file parser in patch 9.2.0450
Vim released patch v9.2.0450 to fix a heap-based buffer overflow in read_compound() within src/spellfile.c. The patch added bounds checks for oversized compound sections, switched allocation size calculations to safer size_t handling, and included a regression test.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
5 references tracked. Mallory keeps watching after this page renders.
oss-sec: [vim-security] Multiple Memory Safety Issues in Vim Spell File Parser affects Vim < 9.2.0513
seclists.org
Open sourceHeap Buffer Overflow in spell file loading affects Vim < 9.2.0450 · Advisory · vim/vim · GitHub
github.com
Open sourceoss-sec: [vim-security] Heap Buffer Overflow in spell file loading affects Vim < 9.2.0450
seclists.org
Open sourceoss-sec: Re: [vim-security] Heap Buffer Overflow in spell file loading affects Vim < 9.2.0450
seclists.org
Open sourcepatch 9.2.0450: [security]: heap buffer overflow in spellfile.c read_… · vim/vim@9299332 · GitHub
github.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Multiple Vim Flaws Enable Code Execution and Denial of Service
German CERT advisories reported several vulnerabilities in **Vim**, including flaws that can lead to **arbitrary code execution** and **denial of service**. One advisory identified multiple vulnerabilities in Vim broadly, while another separately warned that a Vim vulnerability could be used to crash the application and disrupt availability. A later product advisory narrowed part of the issue to Vim's **Spell File Parser**, where multiple vulnerabilities were said to allow denial-of-service conditions. Together, the notices indicate that both general Vim functionality and the spell-file parsing component were affected, raising risks ranging from editor crashes to potentially more severe compromise through code execution.
May 26, 2026
Vim modeline flaw enables arbitrary command execution via crafted files
A high-severity flaw in **Vim** allows arbitrary OS command execution when a user opens a specially crafted file in affected versions earlier than **9.2.0272**. The bug chain abuses the `tabpanel` option, which was missing the `P_MLE` flag and therefore let modelines inject `%{expr}` expressions even when `modelineexpr` was not enabled; the injected code was then able to escape the sandbox because `autocmd_add()` lacked a `check_secure()` call. The issue affects builds compiled with `+tabpanel`, including common `FEAT_HUGE` builds, and executes with the privileges of the user running Vim. Vim fixed the issue in patch **v9.2.0272** via commit `664701eb7576edb7c7c7d9f2d600815ec1f43459`, and the vulnerability is tracked as **CVE-2026-34714** and **GHSA-2gmj-rpqf-pxvh**. Follow-on discussion on `oss-sec` focused on both CVE coordination and safer defaults for modelines. Maintainers said GitHub Support declined to assign a CVE because one had already been issued, while participants identified the record as **CVE-2026-34714**, reportedly assigned by MITRE. Security researchers and community members also argued that Vim's `modeline` feature remains risky for untrusted files because it is enabled by default in many environments, recommending mitigations such as setting `nomodeline` and moving toward a whitelist-based modeline design or disabling the feature by default; commenters noted that Debian, and likely Ubuntu, have already shipped with modelines disabled by default for years.
Jun 8, 2026
Code Execution Vulnerabilities Reported in Vim
German CERT advisories identified **code execution vulnerabilities** in `vim`, the widely used text editor, in two separate notices. The advisories, `2026-0782` and `2026-0886`, both describe flaws that could allow an attacker to execute code, indicating ongoing security issues affecting the application. The notices provide limited public detail, but the repeated classification of the issue as code execution highlights potential risk for systems where `vim` is installed or used to process untrusted content. Organizations using `vim` should review the associated advisories, determine affected versions in their environments, and prioritize vendor patches or other mitigations as they become available.
May 4, 2026