Heap-based Buffer Overflow and OOB Read in :terminal affects Vim < 9.2.0076 =========================================================================== Date: 27.02.2026 Severity: Moderate CVE: CVE-2026-28420 CWE: Heap-based Buffer Overflow (CWE-122) / Out-of-bounds Read (CWE-125)
### Summary A heap-based buffer overflow WRITE and an out-of-bounds READ exist in Vim’s terminal emulator when processing maximum combining characters from Unicode supplementary planes. ### Description The vulnerabilities are located in handle_pushline() in src/terminal.c. 1) Heap Overflow: Vim reserves 21 bytes (MB_MAXBYTES) per cell via ga_grow(). This assumes characters stay within the BMP (3 bytes max). However, a cell can contain up to 6 characters from supplementary planes (4 bytes each). This requires 24 bytes, causing a 3-byte heap overflow during conversion. 2) OOB Read: The loop iterating over cell characters fails to check the boundary of the vterm_screen_cell_t.chars array. When a cell is fully populated, the loop condition reads index 6 of a 6-element array. ### Impact An attacker who can control the output of a program running inside a Vim :terminal buffer can trigger a heap buffer overflow. This can result in a crash (Denial of Service) or potential memory corruption. ### Acknowledgements The Vim project would like to thank the reporter Github users ehdgks0627 and un3xploitable for identifying the vulnerability and providing a proof-of-concept. ### References The issue has been fixed as of Vim patch [v9.2.0076](https://github.com/vim/vim/releases/tag/v9.2.0076) [Commit](https://github.com/vim/vim/commit/bb6de2105b160e729c34063) [Github Advisory](https://github.com/vim/vim/security/advisories/GHSA-rvj2-jrf9-2phg) Thanks, Christian -- Bei uns wird Hand in Hand gearbeitet: Was die eine nicht schafft, läßt die andere liegen. Was keiner kann, das kann ich auch!
