CVE-2026-55892 in Vim
Summary
by MITRE • 06/25/2026
Vim is an open source, command line text editor. Prior to 9.2.0662, the dump_prefixes() function in src/spell.c walks a spell-file prefix trie iteratively with a depth counter while dumping the prefixes that apply to a word. The counter is bounded only by the trie structure itself; it is never checked against the size of the fixed MAXWLEN-element stack arrays it indexes (prefix[], arridx[], curi[]). A crafted .spl file, loaded when the user dumps the word list, can drive the descent arbitrarily deep, so the function writes past the end of those arrays. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0662.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 06/26/2026
The vulnerability described affects vim version prior to 9.2.0662 and stems from improper bounds checking within the dump_prefixes() function located in src/spell.c. This function processes spell-file prefix tries during word list dumping operations, creating a path for malicious input to exploit memory corruption through stack-based buffer overflows. The flaw manifests when processing specially crafted .spl files that contain deeply nested prefix structures, allowing an attacker to manipulate the iterative descent through the trie structure beyond the intended array boundaries.
The technical implementation of this vulnerability involves a depth counter that controls traversal of the spell-file prefix trie structure without proper validation against fixed-size stack arrays. These arrays including prefix[], arridx[], and curi[] are constrained to MAXWLEN elements but the depth counter operates independently without bounds checking. When an attacker provides a malicious .spl file with excessive nesting, the iterative traversal routine continues past array limits, resulting in out-of-bounds writes that corrupt adjacent memory locations within the call frame. This type of vulnerability aligns with CWE-121 Stack-based Buffer Overflow and represents a classic case of insufficient bounds checking in recursive or iterative data structure traversal.
The operational impact of this vulnerability is significant as it allows for arbitrary code execution through controlled memory corruption, potentially leading to complete system compromise when users process malicious spell files. The crash occurs during normal editor operation when users dump word lists, making exploitation possible through social engineering attacks or by tricking users into opening crafted spell files. This vulnerability affects the core functionality of vim's spell checking mechanism and could be leveraged in supply chain attacks targeting developers who rely on vim for text editing tasks.
Mitigation strategies include immediate deployment of vim version 9.2.0662 which contains the necessary bounds checking fixes to prevent the out-of-bounds write conditions. Administrators should also implement strict file validation procedures for spell files, particularly those obtained from untrusted sources or third-party repositories. The ATT&CK framework categorizes this vulnerability under T1203 Exploitation for Client Execution and T1059 Command and Scripting Interpreter, as it enables attackers to execute malicious code through compromised editor operations. Additional defensive measures include restricting user privileges when processing spell files and implementing network-based restrictions on potentially malicious file types to prevent automatic loading of untrusted spell data.