Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <afzkg48dgcKJF/6E@256bit.org>
Date: Thu, 7 May 2026 21:14:11 +0200
From: Christian Brabandt <cb@...bit.org>
To: oss-security@...ts.openwall.com
Subject: [vim-security] Heap Buffer Overflow in spell file loading affects
 Vim < 9.2.0450

Heap Buffer Overflow in spell file loading affects Vim < 9.2.0450
=================================================================
Date: 07.05.2026
Severity: Medium
CVE: *requested, not yet assigned*
CWE: Integer Overflow or Wraparound (CWE-190) leading to Heap-based Buffer Overflow (CWE-122)

## Summary
A heap buffer overflow exists in `read_compound()` in `src/spellfile.c`
when loading a crafted spell file (`.spl`) with UTF-8 encoding active.
An attacker-controlled length field in the spell file's compound section
overflows a 32-bit signed integer multiplication, causing a small buffer
to be allocated for a write loop that runs many iterations, overflowing
the heap.  Because the `'spelllang'` option can be set from a modeline,
a text file modeline can trigger spell file loading if a malicious
`.spl` file has been planted on the runtimepath.

## Description
In `read_compound()` (`src/spellfile.c`), the buffer size for the regex
pattern `pat` is computed from the attacker-controlled `sectionlen`
field of an `SN_COMPOUND` section.  Both `todo` and the size variable
`c` are declared as `int`:

    c = todo * 2 + 7;
    if (enc_utf8)
        c += todo * 2;
    pat = alloc(c);

When `todo` is sufficiently large (e.g. `0x40000005`), the multiplication
`todo * 4 + 7` overflows the 32-bit signed integer and wraps to a small
positive value (e.g. 27).  `alloc(27)` succeeds, but the subsequent loop
iterates `todo` (~1 billion) times, writing bytes into the 27-byte
buffer and corrupting adjacent heap memory.

The overflow only manifests when UTF-8 encoding is active (`enc_utf8`).
Without it, the intermediate value remains negative, sign-extends to a
huge `size_t`, and `alloc()` returns NULL harmlessly.  UTF-8 is the
default on virtually all modern Linux and macOS systems.

A modeline in an unrelated text file can set `'spelllang'` and enable
`'spell'`, causing Vim to load a spell file under the attacker's control
if one has been planted on the runtimepath (e.g. `~/.vim/spell/`).

## Impact
The vulnerability allows a heap buffer overflow of approximately 75
bytes with partially attacker-controlled content when Vim loads a
crafted spell file under UTF-8 encoding.  The practical impact is a
crash of the Vim process (denial of service).

Exploitation requires a malicious `.spl` file to be present on the
runtimepath and the victim to either:

- explicitly enable spell checking with the matching language, or
- open any text file containing a modeline that sets `'spelllang'`
  and enables `'spell'`, while `'modeline'` is enabled.

The severity is rated Medium because exploitation requires both a
planted spell file and a separate triggering action by the victim, and
the practical outcome is a crash rather than code execution.

## Acknowledgements
The Vim project would like to thank Daniel Cervera (@daniel-msft) of
Microsoft Security Engineering for reporting and analyzing the issue and
suggesting a fix.

## References
The issue has been fixed as of Vim patch [v9.2.0450](https://github.com/vim/vim/releases/tag/v9.2.0450).
- [Commit](https://github.com/vim/vim/commit/92993329178cb1f72d700fff45ca86e1c2d369f8)
- [Github Security Advisory](https://github.com/vim/vim/security/advisories/GHSA-q4jv-r9gj-6cwv)



Best,
Christian
-- 
Man soll die Wahrheit mehr als sich selbst lieben, aber seinen
Nächsten mehr als die Wahrheit.
		-- Romain Rolland

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.