Out-of-bounds Read with libsodium-encrypted Files
Summary
Vim is an open source, command line text editor. Prior to 9.2.0671, when Vim opens a file encrypted with the VimCrypt~04! or VimCrypt~05! method (xchacha20poly1305, requires the +sodium feature) whose body is shorter than a single libsodium secretstream header, an unsigned length calculation underflows and a subsequent decryption call reads far past the end of the input buffer, crashing Vim. This vulnerability is fixed in 9.2.0671. A flaw was found in Vim, an open source command-line text editor. When opening a specially crafted encrypted file using the VimCrypt~04! or VimCrypt~05! methods, an attacker could trigger an unsigned length calculation error. This issue leads to an out-of-bounds read, causing Vim to crash and resulting in a denial of service. This Moderate impact vulnerability in Vim arises from an out-of-bounds read when processing a specially crafted libsodium-encrypted file. If a user opens a malicious file encrypted with VimCrypt~04! or VimCrypt~05! and the file body is shorter than a single libsodium secretstream header, Vim may crash. This issue requires user interaction to open a malformed file and the +sodium feature to be enabled, limiting its exploitability in typical Red Hat environments. Red Hat severity: Moderate — CVSS 4.7 (CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H). Weakness: CWE-125. Fixed by RHSA-2026:30267 — update the affected packages (`sudo dnf update`). Affected Red Hat products: Red Hat Hardened Images. Will not fix / out of support: Red Hat Enterprise Linux 6; Red Hat Enterprise Linux 7.
- vim-main-9.2.725-1.hum1
Official advisory · high-confidence parse· fetched 2 hours ago·verify at source
- vim-main-9.2.725-1.hum1
- RHSA-2026:30267
Official advisory · high-confidence parse· fetched 2 hours ago·verify at source
Mitigation checklist
- Ensure the spell checker is turned off by running :set nospell within Vim. Do not open untrusted or suspicious files—particularly those encrypted with libsodium methods (VimCrypt~04! or VimCrypt~05!)—within the Vim editor. This prevents the execution of the vulnerable decryption routine
Official advisory · high-confidence parse· fetched 2 hours ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.