Vulnerability DatabaseCVE-2026-28418
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2026-28418
February 27, 2026
Vim is an open source, command line text editor. Prior to version 9.2.0074, a heap-based buffer overflow out-of-bounds read exists in Vim's Emacs-style tags file parsing logic. When processing a malformed tags file, Vim can be tricked into reading up to 7 bytes beyond the allocated memory boundary. Version 9.2.0074 fixes the issue.
Affected Packages
https://github.com/vim/vim.git (GITHUB):
Affected version(s) >=v9.1.1357 <v9.2.0074
Fix Suggestion:
Update to version v9.2.0074
https://github.com/vim/vim.git (GITHUB):
Affected version(s) >=v9.1.1357 <v9.2.0074
Fix Suggestion:
Update to version v9.2.0074
https://github.com/vim/vim.git (GITHUB):
Affected version(s) >=v9.1.1357 <v9.2.0074
Fix Suggestion:
Update to version v9.2.0074
https://github.com/vim/vim.git (GITHUB):
Affected version(s) >=v9.1.1357 <v9.2.0074
Fix Suggestion:
Update to version v9.2.0074
Related ResourcesĀ (4)
https://github.com/vim/vim/commit/f6a7f469a9c0d09e84cd6cb
http://www.openwall.com/lists/oss-security/2026/02/27/7
https://github.com/vim/vim/releases/tag/v9.2.0074
https://github.com/vim/vim/security/advisories/GHSA-h4mf-vg97-hj8j
Do you need more information?
Contact Us
CVSS v4
Base Score:
4.8
Attack Vector
LOCAL
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
PASSIVE
Vulnerable System Confidentiality
LOW
Vulnerable System Integrity
LOW
Vulnerable System Availability
NONE
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
4.4
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality
LOW
Integrity
LOW
Availability
NONE
Weakness Type (CWE)
Heap-based Buffer Overflow
CWE-122
Out-of-bounds Read
CWE-125