2437843 – (CVE-2026-25749) CVE-2026-25749 vim: Vim: Arbitrary code execution via 'helpfile' option processing

Bug 2437843 (CVE-2026-25749) - CVE-2026-25749 vim: Vim: Arbitrary code execution via 'helpfile' option processing

Summary: CVE-2026-25749 vim: Vim: Arbitrary code execution via 'helpfile' option proce...

Keywords:
Status:	NEW
Alias:	CVE-2026-25749
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2438247
Blocks:
TreeView+	depends on / blocked

Reported:	2026-02-09 11:09 UTC by OSIDB Bzimport
Modified:	2026-03-05 18:06 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-02-09 11:09:21 UTC

Vim is an open source, command line text editor. Prior to version 9.1.2132, a heap buffer overflow vulnerability exists in Vim's tag file resolution logic when processing the 'helpfile' option. The vulnerability is located in the get_tagfname() function in src/tag.c. When processing help file tags, Vim copies the user-controlled 'helpfile' option value into a fixed-size heap buffer of MAXPATHL + 1 bytes (typically 4097 bytes) using an unsafe STRCPY() operation without any bounds checking. This issue has been patched in version 9.1.2132.

Comment 2 naresh.sukhija 2026-02-20 12:32:16 UTC

Hi,

Is someone looking into this Security Vulnerability ?

Regards,
Naresh

Note You need to log in before you can comment on or make changes to this bug.