Primary

Context

Vim NFA Regex Engine NULL Pointer Dereference Vulnerability

Vulnerability

Patched

A NULL pointer dereference vulnerability has been identified in Vim versions 9.1.0011 prior to 9.2.0137. The issue arises in the NFA regex compiler when it processes a collection with a combining character at the end of a range. This mismanagement causes the NFA stack to become corrupted, leading to a NULL pointer dereference in the 'nfa_max_width()' function. As a result, the application crashes with a segmentation fault.

Impact

Exploiting this vulnerability causes a segmentation fault, leading to a crash of the Vim application.

Reproduction

The vulnerability can be reproduced by using a regex pattern that includes a look-behind assertion with a collection range endpoint defined by a combining Unicode character. This can be done by creating a Vim function that sets a line with such a pattern, compiles the regex, and executes it, which will trigger the crash.

Remediation

Users can upgrade to Vim version 9.2.0137 or later to address this vulnerability.

Added: Mar 12, 2026, 8:19 PM

Updated: Mar 12, 2026, 8:19 PM

Vulnerability Rating

Custom Algorithm

spread

7.8

impact

2.5

exploitability

5.4

remediation

7.7

relevance

4.1

threat

4.8

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

7.8

impact

2.5

exploitability

5.4

remediation

7.7

relevance

4.1

threat

4.8

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vim NFA Regex Engine NULL Pointer Dereference Vulnerability

Vulnerability

Impact

Reproduction

Remediation

Affected Products

Vim

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating