Multiple Vim Flaws Enable Code Execution and Denial of Service
German CERT advisories reported several vulnerabilities in Vim, including flaws that can lead to arbitrary code execution and denial of service. One advisory identified multiple vulnerabilities in Vim broadly, while another separately warned that a Vim vulnerability could be used to crash the application and disrupt availability.
A later product advisory narrowed part of the issue to Vim's Spell File Parser, where multiple vulnerabilities were said to allow denial-of-service conditions. Together, the notices indicate that both general Vim functionality and the spell-file parsing component were affected, raising risks ranging from editor crashes to potentially more severe compromise through code execution.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
dCERT publishes Vim spell file parser DoS advisory 2026-1640
dCERT published advisory 2026-1640 covering multiple vulnerabilities in the Vim Spell File Parser that could allow denial of service. This appears as a separate disclosure focused on the spell file parser component.
dCERT publishes Vim multiple code execution vulnerabilities advisory 2026-1520
dCERT published advisory 2026-1520 for Vim, reporting multiple vulnerabilities that could allow code execution. The reference does not include additional technical specifics.
dCERT publishes Vim DoS vulnerability advisory 2026-1413
dCERT published advisory 2026-1413 for Vim, warning that a vulnerability could allow denial of service. No further technical details are provided in the reference.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
dCERT - Advisory 2026-1640 - vim (Spell File Parser): Multiple Vulnerabilities allow Denial of Service
dcert.de
Open sourcedCERT - Advisory 2026-1520 - vim: Multiple Vulnerabilities allow code execution
dcert.de
Open sourcedCERT - Advisory 2026-1413 - vim: Vulnerability allows Denial of Service
dcert.de
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Code Execution Vulnerabilities Reported in Vim
German CERT advisories identified **code execution vulnerabilities** in `vim`, the widely used text editor, in two separate notices. The advisories, `2026-0782` and `2026-0886`, both describe flaws that could allow an attacker to execute code, indicating ongoing security issues affecting the application. The notices provide limited public detail, but the repeated classification of the issue as code execution highlights potential risk for systems where `vim` is installed or used to process untrusted content. Organizations using `vim` should review the associated advisories, determine affected versions in their environments, and prioritize vendor patches or other mitigations as they become available.
May 4, 2026Vim fixes spell file parser flaws that can crash editors via malicious `.spl` files
Vim disclosed and patched multiple medium-severity memory-safety vulnerabilities in its spell file parser that can be triggered by a crafted `.spl` spell file placed on the `runtimepath`. The first issue, tracked as **`CVE-2026-45130`**, affects Vim versions earlier than **`9.2.0450`** and stems from an integer overflow in `read_compound()` in `src/spellfile.c` when UTF-8 spell data is loaded. A malicious `SN_COMPOUND` length can cause an undersized heap allocation followed by out-of-bounds writes, leading primarily to a crash when a user enables spell checking or opens a file whose modeline sets `spelllang` and `spell`; Vim noted denial of service as the practical impact, though the advisory said code execution might be possible in some conditions. Daniel Cervera of Microsoft Security Engineering reported the flaw, and Vim fixed it by adding stricter bounds checks and safer allocation handling in patch **`9.2.0450`**. Vim later disclosed three additional spell parser bugs affecting versions earlier than **`9.2.0513`**: a heap out-of-bounds read caused by uninitialized shared-node targets, a one-byte heap out-of-bounds read in word-counting logic, and a stack overflow from uncontrolled recursion in `read_tree_node()`. As with the earlier bug, exploitation requires a malicious spell file on the `runtimepath` and user-triggered spell loading, including via modelines. Vim rated the newer issues **Medium** severity and said the likely outcome is editor crashes and limited unintended reads of adjacent or uninitialized heap data rather than reliable code execution, underscoring ongoing risk in the application's spell file parsing path.
May 25, 2026
Vim modeline flaw enables arbitrary command execution via crafted files
A high-severity flaw in **Vim** allows arbitrary OS command execution when a user opens a specially crafted file in affected versions earlier than **9.2.0272**. The bug chain abuses the `tabpanel` option, which was missing the `P_MLE` flag and therefore let modelines inject `%{expr}` expressions even when `modelineexpr` was not enabled; the injected code was then able to escape the sandbox because `autocmd_add()` lacked a `check_secure()` call. The issue affects builds compiled with `+tabpanel`, including common `FEAT_HUGE` builds, and executes with the privileges of the user running Vim. Vim fixed the issue in patch **v9.2.0272** via commit `664701eb7576edb7c7c7d9f2d600815ec1f43459`, and the vulnerability is tracked as **CVE-2026-34714** and **GHSA-2gmj-rpqf-pxvh**. Follow-on discussion on `oss-sec` focused on both CVE coordination and safer defaults for modelines. Maintainers said GitHub Support declined to assign a CVE because one had already been issued, while participants identified the record as **CVE-2026-34714**, reportedly assigned by MITRE. Security researchers and community members also argued that Vim's `modeline` feature remains risky for untrusted files because it is enabled by default in many environments, recommending mitigations such as setting `nomodeline` and moving toward a whitelist-based modeline design or disabling the feature by default; commenters noted that Debian, and likely Ubuntu, have already shipped with modelines disabled by default for years.
Jun 8, 2026