Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.5
Vim before 9.2.0074 allows reading sensitive data
CVE-2026-28418
Summary
A security issue in older versions of Vim can cause the program to access sensitive data that it shouldn't. This could potentially allow an attacker to see confidential information. To stay safe, update to version 9.2.0074 or later.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| vim | vim | <= 9.2.0074 | – |
Original title
Vim is an open source, command line text editor. Prior to version 9.2.0074, a heap-based buffer overflow out-of-bounds read exists in Vim's Emacs-style tags file parsing logic. When processing a ma...
Original description
Vim is an open source, command line text editor. Prior to version 9.2.0074, a heap-based buffer overflow out-of-bounds read exists in Vim's Emacs-style tags file parsing logic. When processing a malformed tags file, Vim can be tricked into reading up to 7 bytes beyond the allocated memory boundary. Version 9.2.0074 fixes the issue.
nvd CVSS3.1
5.5
Vulnerability type
CWE-122
Heap-based Buffer Overflow
CWE-125
Out-of-bounds Read
- https://github.com/vim/vim/commit/f6a7f469a9c0d09e84cd6cb Patch
- https://github.com/vim/vim/releases/tag/v9.2.0074 Release Notes
- https://github.com/vim/vim/security/advisories/GHSA-h4mf-vg97-hj8j Patch Vendor Advisory
- http://www.openwall.com/lists/oss-security/2026/02/27/7 Mailing List Patch Third Party Advisory
Published: 27 Feb 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026