CVE-2026-28418: Heap-Based Out-of-Bounds Read in Vim Emacs Tags Parser
Vulnerability ID: CVE-2026-28418
CVSS Score: 4.4
Published: 2026-02-27
Vim versions prior to 9.2.0074 suffer from an out-of-bounds read vulnerability in the Emacs-style tags file parsing logic. The flaw allows an attacker to trigger an out-of-bounds memory read of up to 7 bytes by supplying a crafted tags file. Processing this file via standard Vim commands results in a denial of service (crash) or potential minor heap memory exposure.
TL;DR
Vim < 9.2.0074 contains an out-of-bounds read (CWE-125) in src/tag.c triggered by malformed Emacs tags files. Exploitation requires user interaction and causes denial of service.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-125
- Attack Vector: Local
- CVSS Score: 4.4
- EPSS Score: 0.00004
- Exploit Status: PoC Available
- CISA KEV: Not Listed
Affected Systems
- Developer Workstations using Vim
- Servers with Vim installed as the default editor
-
Vim: < 9.2.0074 (Fixed in:
9.2.0074)
Code Analysis
Commit: f6a7f46
Fix out-of-bounds read in emacs_tags_new_filename
Exploit Details
- Vim Test Suite: Proof of concept test case embedded within the patch commit
Mitigation Strategies
- Update Vim to a patched version
- Avoid parsing untrusted Emacs-style tag files
Remediation Steps:
- Identify all systems and container images running Vim < 9.2.0074.
- Update OS packages (e.g., via apt, yum, or pacman) to the latest provided versions containing the backported patch.
- If compiling from source, pull the latest commits at or beyond f6a7f469a9c0d09e84cd6cb46c3a9e76f684da2d and recompile.
- Advise developers to avoid downloading and executing
:tagin directories from untrusted sources.
References
Read the full report for CVE-2026-28418 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)