VYPR
patchPublished Jul 10, 2026· Updated Jul 11, 2026· 1 source

Vim: Three Completion and Spell-Check Vulnerabilities Disclosed Together

Key findings • Three vulnerabilities in Vim's completion scripts and spell-checking function were disclosed on July 10, 2026. • CVE-2026-59856 and CVE-2026-59858 affect PHP and C omni-complet…

Key findings

  • Three vulnerabilities in Vim's completion scripts and spell-checking function were disclosed on July 10, 2026.
  • CVE-2026-59856 and CVE-2026-59858 affect PHP and C omni-completion scripts due to unescaped input.
  • CVE-2026-59857 is a buffer overflow vulnerability in the spell-checking functionality.
  • All issues are fixed in Vim version 9.2.0736.

On July 10, 2026, three vulnerabilities were disclosed in the Vim text editor, all patched in version 9.2.0736. The vulnerabilities stem from improper handling of user-supplied input within completion scripts and spell-checking functions, potentially leading to code execution or buffer overflows.

Two of the vulnerabilities, CVE-2026-59856 and CVE-2026-59858, affect the omni-completion scripts for PHP and C, respectively. In CVE-2026-59856, the PHP completion script interpolates class or trait names from the buffer into a search pattern without proper escaping, creating a vulnerability when a name contains a single quote. Similarly, CVE-2026-59858's C completion script interpolates type references into a :execute command without escaping, which can be exploited due to how :vimgrep handles the pipe character.

The third vulnerability, CVE-2026-59857, resides in the spell_soundfold_sal() function within src/spell.c. This function translates words through spell files' sound-folding rules. However, its result writes are guarded by reslen < MAXWLEN, allowing reslen to reach MAXWLEN, potentially leading to a buffer overflow.

All three issues were addressed in Vim version 9.2.0736. Users are advised to update to this version or later to mitigate these risks. The disclosures highlight the importance of rigorous input sanitization, even in components like text completion and spell checking, to prevent security vulnerabilities.

The timely patching of these issues by the Vim maintainers underscores the ongoing effort to secure this widely used text editor. Users who rely on Vim for development or day-to-day text manipulation should ensure their installations are up-to-date to benefit from these security enhancements.

Synthesized by Vypr AI