Vim <9.2.0725: spell_soundfold_sal Buffer Overwrite CVE-2026-59857
CVE-2026-59857 Published on July 9, 2026

Vim: Out-of-bounds Write in SAL Soundfolding
Vim is an open source, command line text editor. Prior to 9.2.0725, the single-byte branch of spell_soundfold_sal() in src/spell.c translates a word through a spell file's SAL sound-folding rules into a caller-owned result buffer, but its result writes are guarded with reslen < MAXWLEN, allowing reslen to reach MAXWLEN before res[reslen] = NUL writes one byte past the end of the MAXWLEN-element stack buffer. A boundary-length word passed to soundfold(), or reached via sound-based spell suggestion while a SAL-based spell language is active under a non-multibyte 8-bit encoding, can corrupt the eval_soundfold() stack frame and crash the editor. This issue is fixed in version 9.2.0725.

NVD

Weakness Type

What is a Memory Corruption Vulnerability?

The software writes data past the end, or before the beginning, of the intended buffer. Typically, this can result in corruption of data, a crash, or code execution. The software may modify an index or perform pointer arithmetic that references a memory location that is outside of the boundaries of the buffer. A subsequent write operation then produces undefined or unexpected results.

CVE-2026-59857 has been classified to as a Memory Corruption vulnerability or weakness.


Products Associated with CVE-2026-59857

stack.watch emails you whenever new vulnerabilities are published in Vim or Canonical Ubuntu Linux. Just hit a watch button to start following.

Vim
 
 

Affected Versions

vim Version < 9.2.0725 is affected by CVE-2026-59857