2437843 – (CVE-2026-25749) CVE-2026-25749 vim: Vim: Arbitrary code execution via 'helpfile' option processing

Bug 2437843 (CVE-2026-25749) - CVE-2026-25749 vim: Vim: Arbitrary code execution via 'helpfile' option processing

Summary: CVE-2026-25749 vim: Vim: Arbitrary code execution via 'helpfile' option proce...

Keywords:
Status:	NEW
Alias:	CVE-2026-25749
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2438247
Blocks:
TreeView+	depends on / blocked

Reported:	2026-02-09 11:09 UTC by OSIDB Bzimport
Modified:	2026-02-11 15:58 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-02-09 11:09:21 UTC

Vim is an open source, command line text editor. Prior to version 9.1.2132, a heap buffer overflow vulnerability exists in Vim's tag file resolution logic when processing the 'helpfile' option. The vulnerability is located in the get_tagfname() function in src/tag.c. When processing help file tags, Vim copies the user-controlled 'helpfile' option value into a fixed-size heap buffer of MAXPATHL + 1 bytes (typically 4097 bytes) using an unsafe STRCPY() operation without any bounds checking. This issue has been patched in version 9.1.2132.

Note You need to log in before you can comment on or make changes to this bug.