CVE-2026-45130 Overview
CVE-2026-45130 is a heap buffer overflow [CWE-122] in the read_compound() function in src/spellfile.c of Vim, the open source command line text editor. The vulnerability exists in versions prior to 9.2.0450 when loading a crafted spell file (.spl) with UTF-8 encoding enabled. An attacker-controlled length field in the compound section overflows a 32-bit signed integer multiplication, causing allocation of an undersized buffer that is then written past its boundary. Because the spelllang option can be set from a modeline, opening a text file can trigger spell file loading if a malicious .spl file resides on the runtimepath. The issue has been patched in Vim 9.2.0450.
Critical Impact
Opening an untrusted text file in Vim can lead to heap corruption, application crash, or potential local code execution when a malicious spell file is planted on the runtimepath.
Affected Products
- Vim text editor versions prior to 9.2.0450
- Vim installations with UTF-8 encoding active
- Systems where modeline parsing is enabled (default behavior in many configurations)
Discovery Timeline
- 2026-05-08 - CVE-2026-45130 published to NVD
- 2026-05-14 - Openwall OSS Security disclosure post published
- 2026-05-14 - Last updated in NVD database
Technical Details for CVE-2026-45130
Vulnerability Analysis
The flaw resides in the read_compound() routine within src/spellfile.c, which parses the compound word section of Vim spell files. The function reads a length field directly from the attacker-controlled .spl file and uses it in a 32-bit signed integer multiplication to compute a buffer allocation size. When the supplied length is sufficiently large, the multiplication overflows, wrapping to a small positive value. Vim then allocates an undersized heap buffer, but the subsequent write loop iterates based on the original large length, writing far past the allocated region and corrupting adjacent heap memory.
Exploitation requires user interaction since the victim must open a file in Vim. However, because Vim modelines can set the spelllang option, a benign-looking text file containing a crafted modeline can trigger automatic loading of a malicious spell file placed on the Vim runtimepath. This significantly broadens the attack surface beyond direct invocation of :setlocal spell.
Root Cause
The root cause is missing bounds validation on the COMPOUND section length field before performing arithmetic used for buffer sizing. The fix introduces a hard upper bound (COMPOUND_MAX_LEN set to 100000) that rejects oversized values before allocation occurs, eliminating the integer overflow path.
Attack Vector
The attack is local and requires user interaction. An attacker must place a malicious .spl file on a directory present in Vim's runtimepath and convince the victim to open a text file referencing the corresponding language via modeline or manual configuration. The resulting heap corruption affects confidentiality, integrity, and availability of the Vim process.
// Patch from Vim 9.2.0450 - src/spellfile.c
#define CF_WORD 0x01
#define CF_UPPER 0x02
+// Max allowed length for COMPOUND section
+#define COMPOUND_MAX_LEN 100000
+
/*
* Loop through all the siblings of a node (including the node)
*/
Source: GitHub Commit 92993329
// Patch from Vim 9.2.0450 - src/version.c (patch number registration)
static int included_patches[] =
{ /* Add new patch number below this line */
+/**/
+ 450,
/**/
449,
/**/
Source: GitHub Release v9.2.0450
Detection Methods for CVE-2026-45130
Indicators of Compromise
- Presence of unexpected .spl files in directories on Vim's runtimepath, particularly in user-writable locations under ~/.vim/spell/ or system spell directories
- Vim process crashes or abnormal terminations correlated with opening specific text files
- Text files containing suspicious modelines that set spelllang to non-standard language codes referencing attacker-controlled spell files
Detection Strategies
- Inventory installed Vim versions across endpoints and flag any build earlier than 9.2.0450
- Scan user home directories and shared paths for .spl files with recent modification timestamps or unknown provenance
- Inspect text files transferred from untrusted sources for modeline directives that manipulate spelllang, runtimepath, or related spell options
Monitoring Recommendations
- Monitor file integrity on Vim runtimepath directories to identify unauthorized creation of spell files
- Log Vim process crashes via system telemetry and correlate with recently opened files
- Track creation of .spl files in user-writable directories using endpoint file activity telemetry
How to Mitigate CVE-2026-45130
Immediate Actions Required
- Upgrade Vim to version 9.2.0450 or later on all systems where the editor is installed
- Audit Vim runtimepath directories for unauthorized or untrusted .spl files and remove any not installed by trusted package sources
- Disable modeline parsing in shared or multi-user environments where untrusted text files may be opened
Patch Information
The vulnerability is fixed in Vim 9.2.0450 via commit 92993329178cb1f72d700fff45ca86e1c2d369f8. The patch introduces a COMPOUND_MAX_LEN constant of 100000 that bounds the COMPOUND section length before any size calculation, preventing the integer overflow. Refer to the GitHub Security Advisory GHSA-q4jv-r9gj-6cwv and the Openwall OSS Security Post for vendor details.
Workarounds
- Disable modelines by adding set nomodeline to ~/.vimrc or /etc/vim/vimrc to prevent automatic spelllang changes from untrusted files
- Disable spell checking globally with set nospell until patched versions are deployed
- Restrict write permissions on directories included in Vim's runtimepath to prevent unauthorized placement of malicious .spl files
# Configuration example: vimrc hardening until patch is applied
echo 'set nomodeline' >> ~/.vimrc
echo 'set modelines=0' >> ~/.vimrc
echo 'set nospell' >> ~/.vimrc
# Verify installed Vim version
vim --version | head -n 2
# Audit user-writable spell files on runtimepath
find ~/.vim/spell /usr/share/vim -name '*.spl' -type f -printf '%T@ %p\n' 2>/dev/null | sort -n
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
