Denial of Service via stack out-of-bounds write in spell_soundfold_sofo()
Summary
Vim is an open source, command line text editor. Prior to 9.2.0698, the single-byte branch of spell_soundfold_sofo() in src/spell.c translates a word through a spell file's SOFO (sound-folding) byte map into a caller-owned result buffer. Its copy loop advances the output index ri with no upper bound and terminates only on the input NUL, writing one byte per input byte into the MAXWLEN-element stack buffer the caller provides. A word longer than MAXWLEN, passed to soundfold() (or reached via sound-based spell suggestion) while a SOFO-based spell language is active, therefore writes past the end of that buffer. This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This vulnerability is fixed in 9.2.0698. A memory corruption flaw in Vim allows an attacker to cause a Denial of Service (DoS). When a SOFO-based spell language is active, providing an excessively long word to the spell checker triggers a stack out-of-bounds write in the spell_soundfold_sofo() function, causing the editor to crash. This Moderate impact flaw in Vim, a command-line text editor, is due to a stack out-of-bounds write in the spell checker. Exploitation requires a user to open a specially crafted file or encounter a long word via spell suggestion while a SOFO-based spell language is active, leading to a Denial of Service. This is not a default configuration in most Red Hat environments, limiting the attack surface. Red Hat severity: Moderate — CVSS 4.7 (CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H). Weakness: CWE-787. Fixed by RHSA-2026:30267 — update the affected packages (`sudo dnf update`). Affected Red Hat products: Red Hat Hardened Images.
- vim-main-9.2.725-1.hum1
Official advisory · high-confidence parse· fetched 2 hours ago·verify at source
- vim-main-9.2.725-1.hum1
- RHSA-2026:30267
Official advisory · high-confidence parse· fetched 2 hours ago·verify at source
Mitigation checklist
- To mitigate this issue disable spell checking or avoid using SOFO-based spell files. This can be achieved globally by adding set nospell to your ~/.vimrc configuration file. Ensure your systems utilize standard UTF-8 encoding. This flaw is strictly confined to legacy 8-bit encodings and cannot be triggered under default Red Hat configurations.
Official advisory · high-confidence parse· fetched 2 hours ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.