Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2026/VULN130 _____________________________________________________________________ DATE : 06/02/2026 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Vim versions prior to 9.1.2132. ===================================================================== https://github.com/vim/vim/security/advisories/GHSA-5w93-4g67-mm43 _____________________________________________________________________ buffer overflow in helpfile option handling affects Vim < 9.1.2132 Moderate chrisbra published GHSA-5w93-4g67-mm43 Feb 5, 2026 Package tag.c Affected versions 9.1.2116 Patched versions None Description Buffer overflow in helpfile option handling affects Vim <9.1.2132 Date: 05.02.2026 Severity: Medium CVE: not yet assigned CWE: Heap-based Buffer Overflow (CWE-122) Summary A heap buffer overflow vulnerability exists in Vim's tag file resolution logic when processing the 'helpfile' option, affecting all versions prior to version v9.1.2132. Description The vulnerability is located in the get_tagfname() function in src/tag.c. When processing help file tags, Vim copies the user-controlled 'helpfile' option value into a fixed-size heap buffer of MAXPATHL + 1 bytes (typically 4097 bytes) using an unsafe STRCPY() operation without any bounds checking. The vulnerable code path is triggered when: A user or attacker sets the 'helpfile' option to a string exceeding MAXPATHL bytes The :help command is executed The call chain ex_help() → find_help_tags() → find_tags() → get_tagfname() is invoked The unchecked STRCPY(buf, p_hf) overflows the heap-allocated buffer. Since the 'helpfile' option has no length validation when set, arbitrarily long values can be assigned and subsequently copied, causing heap memory corruption when the buffer overflow occurs. Impact The vulnerability allows heap buffer overflow with the following potential impacts: Denial of Service: Heap corruption causes immediate application crashes Memory Corruption: Adjacent heap allocations and heap metadata can be overwritten Potential Code Execution: Depending on heap layout and exploitation techniques, this could potentially be leveraged for arbitrary code execution, though this would be non-trivial The vulnerability requires user interaction (setting the helpfile option and executing the :help command) and is therefore rated medium (CVSS 6.6), but has the potential for code execution due to the nature of heap buffer overflows. This issue was confirmed using AddressSanitizer, which detected a heap-buffer-overflow with writes significantly exceeding the allocated buffer size. Acknowledgements The Vim project would like to thank Rahul Hoysala (github handle @rahulhoysala) for reporting this issue and providing detailed proof-of-concept code demonstrating the vulnerability. References The issue has been fixed as of Vim patch v9.1.2132. Commit Github Advisory Details Severity Moderate 6.6/ 10 CVSS v3 base metrics Attack vector Local Attack complexity Low Privileges required Low User interaction Required Scope Unchanged Confidentiality None Integrity High Availability High CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H CVE ID CVE-2026-25749 Weaknesses Weakness CWE-122 Credits @rahulhoysala rahulhoysala Reporter ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================