Vim <9.2.0725: spell_soundfold_sal Buffer Overwrite CVE-2026-59857
CVE-2026-59857 Published on July 9, 2026
Vim: Out-of-bounds Write in SAL Soundfolding
Vim is an open source, command line text editor. Prior to 9.2.0725, the single-byte branch of spell_soundfold_sal() in src/spell.c translates a word through a spell file's SAL sound-folding rules into a caller-owned result buffer, but its result writes are guarded with reslen < MAXWLEN, allowing reslen to reach MAXWLEN before res[reslen] = NUL writes one byte past the end of the MAXWLEN-element stack buffer. A boundary-length word passed to soundfold(), or reached via sound-based spell suggestion while a SAL-based spell language is active under a non-multibyte 8-bit encoding, can corrupt the eval_soundfold() stack frame and crash the editor. This issue is fixed in version 9.2.0725.
Weakness Type
What is a Memory Corruption Vulnerability?
The software writes data past the end, or before the beginning, of the intended buffer. Typically, this can result in corruption of data, a crash, or code execution. The software may modify an index or perform pointer arithmetic that references a memory location that is outside of the boundaries of the buffer. A subsequent write operation then produces undefined or unexpected results.
CVE-2026-59857 has been classified to as a Memory Corruption vulnerability or weakness.
Products Associated with CVE-2026-59857
stack.watch emails you whenever new vulnerabilities are published in Vim or Canonical Ubuntu Linux. Just hit a watch button to start following.