CVE-2026-57455— Vim: Stack out-of-bounds write in `spell_soundfold_sofo()` via an over-length `soundfold()` argument
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-57455
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Vim: Stack out-of-bounds write in `spell_soundfold_sofo()` via an over-length `soundfold()` argument
Source: NVD (National Vulnerability Database)
Vulnerability Description
Vim is an open source, command line text editor. Prior to 9.2.0698, the single-byte branch of spell_soundfold_sofo() in src/spell.c translates a word through a spell file's SOFO (sound-folding) byte map into a caller-owned result buffer. Its copy loop advances the output index ri with no upper bound and terminates only on the input NUL, writing one byte per input byte into the MAXWLEN-element stack buffer the caller provides. A word longer than MAXWLEN, passed to soundfold() (or reached via sound-based spell suggestion) while a SOFO-based spell language is active, therefore writes past the end of that buffer. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0698.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
跨界内存写
Source: NVD (National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-57455
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-57455
请登录查看更多情报信息。
Other References for CVE-2026-57455 (3)
- 🔗 Release v9.2.0698 · vim/vim · GitHubx_refsource_MISC
Same Patch Batch · vim · 2026-06-25 · 9 CVEs total
| CVE-2026-57453 | 6.5 MEDIUM | Vim: PowerShell Command Injection via Unescaped Filename in zip.vim Extraction |
| CVE-2026-57452 | 5.5 MEDIUM | Vim: Out-of-bounds Read with libsodium-encrypted Files |
| CVE-2026-55892 | 5.5 MEDIUM | Vim: Out-of-bounds Write in Spell File Prefix Dump |
| CVE-2026-57451 | 5.3 MEDIUM | Vim: Out-of-bounds Read in Text Property Count |
| CVE-2026-57456 | Vim: Arbitrary Code Execution via Python Omni-Completion Docstrings | |
| CVE-2026-57454 | Vim: Out-of-bounds Read with Text Properties | |
| CVE-2026-55895 | Vim: Vimscript Code Injection in netrw NetrwLocalRmFile() via crafted filename | |
| CVE-2026-55693 | Vim: Out-of-bounds Write in Spell File Word Count |
IV. Related Vulnerabilities
Same product: vim
- CVE-2026-55693
Vim: Out-of-bounds Write in Spell File Word Count - CVE-2026-55892
Vim: Out-of-bounds Write in Spell File Prefix Dump - CVE-2026-55895
Vim: Vimscript Code Injection in netrw NetrwLocalRmFile() vi - CVE-2026-57451
Vim: Out-of-bounds Read in Text Property Count - CVE-2026-57452
Vim: Out-of-bounds Read with libsodium-encrypted Files
Same vendor: vim
- CVE-2026-55693
Vim: Out-of-bounds Write in Spell File Word Count - CVE-2026-55892
Vim: Out-of-bounds Write in Spell File Prefix Dump - CVE-2026-55895
Vim: Vimscript Code Injection in netrw NetrwLocalRmFile() vi - CVE-2026-57451
Vim: Out-of-bounds Read in Text Property Count - CVE-2026-57452
Vim: Out-of-bounds Read with libsodium-encrypted Files
Same weakness: CWE-787
- CVE-2026-57876
GV-LPC2011/LPC2211 - unauthorized out-of-bounds writing vuln - CVE-2026-6325
Out-of-bounds write in SetSuitesHashSigAlgo on oversized sig - CVE-2026-6679
DTLS 1.3 ACK serialization heap buffer overflow via integer - CVE-2026-6681
PKCS#7 decode ignores caller output buffer size, writing pas - CVE-2026-55958
Renesas TSIP TLS 1.3 transcript buffer out-of-bounds write i
V. Comments for CVE-2026-57455
No comments yet