Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN303
_____________________________________________________________________

DATE                : 13/03/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Vim versions prior to 9.2.0137.

=====================================================================
https://github.com/vim/vim/security/advisories/GHSA-9phh-423r-778r
_____________________________________________________________________


NFA regex engine NULL pointer dereference affects Vim < 9.2.0137
Moderate
chrisbra published GHSA-9phh-423r-778r Mar 11, 2026

Package
Vim (Vim)

Affected versions
< 9.2.0137

Patched versions
9.2.0137


Description
NFA regex engine NULL pointer dereference affects Vim < 9.2.0137

Date: 11.03.2026
Severity: Moderate
CVE: CVE-2026-32249
CWE: NULL Pointer Dereference (CWE-476)


Summary
_____________________________________________________________________
A NULL pointer dereference occurs in nfa_max_width() when the NFA
regex engine processes a look-behind assertion containing a
collection with a combining Unicode character as a range endpoint.


Description

Vim's NFA regex compiler, when encountering a collection containing
a combining character as the endpoint of a character range (e.g.
[0-0\u05bb]), incorrectly emits the composing bytes of that character
as separate NFA states. This corrupts the NFA postfix stack, resulting
in NFA_START_COLL having a NULL out1 pointer. When nfa_max_width()
subsequently traverses the compiled NFA to estimate match width for
the look-behind assertion, it dereferences state->out1->out without
a NULL check, causing a segmentation fault.

The bug was introduced by patch 9.1.0011.


Impact

Any user or process that can supply a regex pattern to Vim - including
via plugins or command-line arguments - can trigger a crash.


Acknowledgements

The Vim project would like to thank Nathan Mills for identifying the
vulnerability through fuzzing and providing a minimal reproducer and
detailed analysis.


References

The issue has been fixed as of Vim patch v9.2.0137

    Commit
    GitHub Advisory

Severity
Moderate
5.3/ 10

CVSS v3 base metrics
Attack vector
Local
Attack complexity
Low
Privileges required
None
User interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

CVE ID
CVE-2026-32249

Weaknesses
Weakness CWE-476


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================