Vulnerabilities ›

CVE-2026-28419

Medium

CWE-124 — Weakness Type

                    Published: Feb 27, 2026                      ·  Modified: Mar 5, 2026                      ·  Source: NVD                

CVSS v3

5.3

🔗 NVD Official

📄 Description (English)

Vim is an open source, command line text editor. Prior to version 9.2.0075, a heap-based buffer underflow exists in Vim's Emacs-style tags file parsing logic. When processing a malformed tags file where a delimiter appears at the start of a line, Vim attempts to read memory immediately preceding the allocated buffer. Version 9.2.0075 fixes the issue.

🤖 AI Executive Summary

Vim versions prior to 9.2.0075 contain a heap-based buffer underflow vulnerability in tags file parsing that could allow attackers to read adjacent memory. The vulnerability is triggered when processing malformed tags files with delimiters at line starts.

📄 Description (Arabic)

تحتوي ثغرة CWE-124 على تدفق ذاكرة heap في منطق معالجة ملفات الوسوم بنمط Emacs في محرر Vim. عند معالجة ملف وسوم معيب يحتوي على فاصل في بداية السطر، يحاول Vim قراءة الذاكرة السابقة للمخزن المؤقت المخصص. يتم إصلاح المشكلة في الإصدار 9.2.0075.

🤖 ملخص تنفيذي (AI)

إصدارات Vim السابقة للإصدار 9.2.0075 تحتوي على ثغرة تدفق ذاكرة heap في معالجة ملفات الوسوم قد تسمح للمهاجمين بقراءة الذاكرة المجاورة. يتم تفعيل الثغرة عند معالجة ملفات وسوم معيبة تحتوي على فواصل في بداية الأسطر.

🤖 AI Intelligence Analysis Analyzed: May 30, 2026 03:24

🇸🇦 Saudi Arabia Impact Assessment

Saudi Relevance: medium

🏢 Affected Saudi Sectors

government telecom

🎯 MITRE ATT&CK Techniques

T1190 T1203

⚖️ Saudi Risk Score (AI)

5.0

/ 10.0

🔧 Remediation Steps (English)

Update Vim to version 9.2.0075 or later immediately. Organizations should validate all Vim installations across development and administrative systems and apply patches through their software update mechanisms.

🔧 خطوات المعالجة (العربية)

قم بتحديث Vim إلى الإصدار 9.2.0075 أو أحدث فوراً. يجب على المؤسسات التحقق من جميع تثبيتات Vim عبر أنظمة التطوير والإدارة وتطبيق التصحيحات من خلال آليات تحديث البرامج.

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

2.1 2.2

🔵 SAMA CSF

ID.RA-1 PR.IP-12

🟡 ISO 27001:2022

A.12.6.1 A.14.2.1

🔗 References & Sources 4

🔗

https://github.com/vim/vim/commit/9b7dfa2948c9e1e5e32a5812

security-advisories@github.com

Patch

🔗

https://github.com/vim/vim/releases/tag/v9.2.0075

security-advisories@github.com

Product

🔗

https://github.com/vim/vim/security/advisories/GHSA-xcc8-r6c5-hvwv

security-advisories@github.com

Patch Vendor Advisory

🔗

http://www.openwall.com/lists/oss-security/2026/02/27/8

af854a3a-2127-422b-91ae-364da2661108

Mailing List Patch Third Party Advisory

📦 Affected Products / CPE 1 entries

vim:vim

📊 CVSS Score

5.3

/ 10.0 — Medium

📊 CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

Attack VectorL — Low / Local

Attack ComplexityL — Low / Local

Privileges RequiredN — None / Network

User InteractionR — Required

ScopeU — Unchanged

ConfidentialityL — Low / Local

IntegrityL — Low / Local

AvailabilityL — Low / Local

📋 Quick Facts

Severity Medium

CVSS Score5.3

CWECWE-124

Exploit No

Patch ✓ Yes

Published 2026-02-27

Source Feed nvd

🇸🇦 Saudi Risk Score

5.0

/ 10.0 — Saudi Risk

Priority: MEDIUM

🏷️ Tags

patch-available CWE-124

🏢 Vendor Advisories

🔗 https://github.com/vim/vim/security/advisories/GHSA-...

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

💬 Comments

Loading comments

CVE-2026-28419

💬 Comments

Introduce Yourself

Sign In Required