CVE-2026-28422 LOW

CVE-2026-28422: Vim has stack-buffer-overflow in build_stl_str_hl()

Vendor Vim
Product vim
Weakness CWE-121
Published February 27, 2026
Last update March 2, 2026

CVSS base score

2.2/10
Attack vector Local
Attack complexity High
Privileges required Low
User interaction Required
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

Vim is an open source, command line text editor. Prior to version 9.2.0078, a stack-buffer-overflow occurs in `build_stl_str_hl()` when rendering a statusline with a multi-byte fill character on a very wide terminal. Version 9.2.0078 patches the issue.

Key dates

02Disclosure timeline

February 27, 2026 CVE published
March 2, 2026 Record updated