Denial of Service via out-of-bounds write in spell sound-folding
Summary
Vim is an open source, command line text editor. Prior to 9.2.0725, the single-byte branch of spell_soundfold_sal() in src/spell.c translates a word through a spell file's SAL sound-folding rules into a caller-owned result buffer, but its result writes are guarded with reslen < MAXWLEN, allowing reslen to reach MAXWLEN before res[reslen] = NUL writes one byte past the end of the MAXWLEN-element stack buffer. A boundary-length word passed to soundfold(), or reached via sound-based spell suggestion while a SAL-based spell language is active under a non-multibyte 8-bit encoding, can corrupt the eval_soundfold() stack frame and crash the editor. This issue is fixed in version 9.2.0725. An out-of-bounds write vulnerability in Vim's spell_soundfold_sal() function allows an attacker to corrupt memory and crash the editor (Denial of Service) by supplying a specially crafted word during spell sound-folding. This Moderate impact flaw in Vim's spell sound-folding feature can lead to a denial of service. This vulnerability primarily affects interactive users of the Vim text editor. Red Hat severity: Moderate — CVSS 5.5 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H). Weakness: CWE-787.
- < 9.2.0725
Official advisory · high-confidence parse· fetched 2 hours ago·verify at source
- 9.2.0725
Official advisory · high-confidence parse· fetched 2 hours ago·verify at source
Mitigation checklist
- This vulnerability can be mitigated by preventing Vim from automatically applying editor configurations embedded in files. Add the following line to the global /etc/vimrc or local ~/.vimrc configuration file: set nomodeline
Official advisory · high-confidence parse· fetched 2 hours ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.