CVE-2026-32249
Publication date 12 March 2026
Last updated 14 April 2026
Ubuntu priority
Description
Vim is an open source, command line text editor. From 9.1.0011 to before 9.2.0137, Vim's NFA regex compiler, when encountering a collection containing a combining character as the endpoint of a character range (e.g. [0-0\u05bb]), incorrectly emits the composing bytes of that character as separate NFA states. This corrupts the NFA postfix stack, resulting in NFA_START_COLL having a NULL out1 pointer. When nfa_max_width() subsequently traverses the compiled NFA to estimate match width for the look-behind assertion, it dereferences state->out1->out without a NULL check, causing a segmentation fault. This vulnerability is fixed in 9.2.0137.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| vim | 25.10 questing |
Fixed 2:9.1.0967-1ubuntu6.2
|
| 24.04 LTS noble |
Fixed 2:9.1.0016-1ubuntu7.11
|
|
| 22.04 LTS jammy |
Not affected
|
|
| 20.04 LTS focal |
Not affected
|
|
| 18.04 LTS bionic |
Not affected
|
|
| 16.04 LTS xenial |
Not affected
|
|
| 14.04 LTS trusty |
Not affected
|
Severity score breakdown
CVSS version: CVSS v3.0
Base score
5.3 · Medium
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
References
Related Ubuntu Security Notices (USN)
- USN-8171-1
- Vim vulnerabilities
- 13 April 2026