CVE-2026-55892 - Vulnerability Details

Vim is an open source, command line text editor. Prior to 9.2.0662, the dump_prefixes() function in src/spell.c walks a spell-file prefix trie iteratively with a depth counter while dumping the prefixes that apply to a word. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (prefix[], arridx[], curi[]). A crafted .spl file, loaded when the user dumps the word list, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0662.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

Vendors	Products

References

Link	Providers
https://github.com/vim/vim/commit/8325b193bba5f01e7a7d8241f
https://github.com/vim/vim/releases/tag/v9.2.0662
https://github.com/vim/vim/security/advisories/GHSA-qm9w-fmpj-879h

History

Thu, 25 Jun 2026 15:45:00 +0000

Type	Values Removed	Values Added
Description		Vim is an open source, command line text editor. Prior to 9.2.0662, the dump_prefixes() function in src/spell.c walks a spell-file prefix trie iteratively with a depth counter while dumping the prefixes that apply to a word. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (prefix[], arridx[], curi[]). A crafted .spl file, loaded when the user dumps the word list, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0662.
Title		Vim: Out-of-bounds Write in Spell File Prefix Dump
Weaknesses		CWE-787
References		https://github.com/vim/vim/commit/8325b193bba5f01e7a7d8241f https://github.com/vim/vim/releases/tag/v9.2.0662 https://github.com/vim/vim/security/advisories/GHSA-qm9w-fmpj-879h
Metrics		cvssV3_1 `{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-06-25T15:32:41.238Z

Updated: 2026-06-25T15:32:41.238Z

Reserved: 2026-06-17T16:59:42.760Z

Link: CVE-2026-55892

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-25T16:45:03Z

Metrics

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction Required

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object