CVE-2026-52859

Description

Vim is an open source, command line text editor. Prior to version 9.2.0565, the update_snapshot() function in src/terminal.c copies the visible terminal screen into the scrollback buffer when a snapshot is taken. For each screen cell it walks the cell's chars[] array with no upper bound, stopping only when it encounters a NUL terminator. When a cell legitimately fills all VTERM_MAX_CHARS_PER_CELL (6) slots — a base character plus five combining marks — the bundled libvterm returns the array without a terminating NUL, so the loop reads past the fixed six-element array and appends the out-of-bounds values to a buffer reserved for only six characters. A program whose output is rendered inside a :terminal window can trigger this with a short byte sequence and no Vim scripting, leading to a crash. This issue has been patched in version 9.2.0565.

• How can I get the fixes?
• What do statuses mean?
• Patch details

Get expanded security coverage with Ubuntu Pro

Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.

Patch details

Severity score breakdown

CVSS version: CVSS v4.0 CVSS v4.0 CVSS v3.0

References

• MITRE
• NVD
• Launchpad
• Debian

Related Ubuntu Security Notices (USN)

• USN-8451-1
• Vim vulnerabilities
• 18 June 2026

Other references

• https://www.cve.org/CVERecord?id=CVE-2026-52859
• https://github.com/vim/vim/security/advisories/GHSA-47gw-8gc3-mgcm
• https://github.com/vim/vim/commit/63680c6d3d52477817b49cd1a66e7aabe8a7aa19
• https://github.com/vim/vim/releases/tag/v9.2.0565