CVE-2026-55693 - Vulnerability Details

Vim is an open source, command line text editor. Prior to 9.2.0653, the tree_count_words() function in src/spellfile.c fills in the word-count fields of a spell-file word trie by walking it iteratively with a depth counter. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (arridx[], curi[], wordcount[]). A crafted .spl/.sug file pair, loaded when the user invokes spell suggestion, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0653.

Attack Vector Local

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction Active

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

Vendors	Products

References

Link	Providers
https://github.com/vim/vim/commit/a80874d9b84a01040e3d1aef2d4a59e1934dafb7
https://github.com/vim/vim/releases/tag/v9.2.0653
https://github.com/vim/vim/security/advisories/GHSA-wgh4-64f7-q3jq

History

Thu, 25 Jun 2026 15:45:00 +0000

Type	Values Removed	Values Added
Description		Vim is an open source, command line text editor. Prior to 9.2.0653, the tree_count_words() function in src/spellfile.c fills in the word-count fields of a spell-file word trie by walking it iteratively with a depth counter. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (arridx[], curi[], wordcount[]). A crafted .spl/.sug file pair, loaded when the user invokes spell suggestion, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0653.
Title		Vim: Out-of-bounds Write in Spell File Word Count
Weaknesses		CWE-787
References		https://github.com/vim/vim/commit/a80874d9b84a01040e3d1aef2d4a59e1934dafb7 https://github.com/vim/vim/releases/tag/v9.2.0653 https://github.com/vim/vim/security/advisories/GHSA-wgh4-64f7-q3jq
Metrics		cvssV4_0 `{'score': 5.7, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-06-25T15:34:33.424Z

Updated: 2026-06-25T15:34:33.424Z

Reserved: 2026-06-17T00:13:10.650Z

Link: CVE-2026-55693

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-25T16:30:15Z

Metrics

Attack Vector Local

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction Active

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object