CVE-2026-55693 in Vim
Summary
by MITRE • 06/25/2026
Vim is an open source, command line text editor. Prior to 9.2.0653, the tree_count_words() function in src/spellfile.c fills in the word-count fields of a spell-file word trie by walking it iteratively with a depth counter. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (arridx[], curi[], wordcount[]). A crafted .spl/.sug file pair, loaded when the user invokes spell suggestion, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0653.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 06/25/2026
The vulnerability described affects vim text editor versions prior to 9.2.0653, specifically within the spell checking functionality that processes .spl and .sug files. This represents a classic stack-based buffer overflow condition that occurs during the iterative traversal of a spell-file word trie structure. The affected function tree_count_words() in src/spellfile.c demonstrates poor bounds checking mechanisms when handling depth-first traversal operations, creating a scenario where arbitrary stack memory corruption can occur through crafted input files.
The technical flaw stems from insufficient validation of recursion depth during trie traversal operations. When vim processes spell suggestion files, the tree_count_words() function employs iterative descent with a depth counter that operates independently of the fixed-size MAXWLEN arrays used for indexing. These arrays including arridx[], curi[], and wordcount[] have predetermined memory boundaries that are never verified against the actual traversal depth reached during processing. This disconnect between dynamic operation depth and static array sizing creates an exploitable condition where maliciously crafted spell files can force excessive stack pointer manipulation beyond allocated memory limits.
The operational impact of this vulnerability manifests as a stack out-of-bounds write condition that fundamentally corrupts the call frame structure, leading to unpredictable program behavior and eventual crash conditions. Attackers can leverage specially constructed .spl/.sug file pairs to trigger deep traversal scenarios that cause writes past the end of bounded arrays, potentially enabling arbitrary code execution or denial-of-service attacks against vulnerable vim installations. The vulnerability becomes exploitable when users invoke spell suggestion functionality with maliciously crafted files, making it particularly dangerous in environments where users might encounter untrusted text files or documents.
This vulnerability aligns with CWE-121 Stack-based Buffer Overflow and represents a failure in proper input validation and memory boundary checking within the spell file processing subsystem. From an ATT&CK perspective, this issue maps to techniques involving privilege escalation through software exploitation and denial-of-service attacks targeting application components. The fix implemented in version 9.2.0653 addresses the core problem by enforcing proper bounds checking on depth counter values against the maximum array sizes, preventing the out-of-bounds memory access that previously enabled stack corruption. Organizations should prioritize updating to this patched version or later releases to mitigate the risk of exploitation through crafted spell files.