Heap-based Buffer Overflow in Emacs tags parsing affects Vim < 9.2.0074 ====================================================================== Date: 27.02.2026 Severity: Low CVE: CVE-2026-28418 CWE: Heap-based Buffer Overflow (CWE-122) / Out-of-bounds Read (CWE-125)
### Summary A heap-based buffer overflow out-of-bounds read exists in Vim's Emacs-style tags file parsing logic. When processing a malformed tags file, Vim can be tricked into reading up to 7 bytes beyond the allocated memory boundary. ### Description The vulnerability is located in the `emacs_tags_new_filename()` function. When Vim encounters a section header in an Emacs-style tags file, it reads the following line into a fixed 512-byte heap buffer. The code then searches for a comma delimiter to separate the filename from the section metadata. If a crafted tags file provides a line exceeding the buffer capacity without a comma, the search loop reaches the end of the allocation. Because the code assumes a comma was found, it proceeds to check for an "include" directive by accessing memory immediately following the buffer boundary. This results in an out-of-bounds read of up to 7 bytes. ### Impact The vulnerability allows for an out-of-bounds heap read. An attacker who induces a user to perform a tag lookup using a crafted Emacs tags file (e.g., in a malicious repository) can crash Vim. The severity is rated **low** because it is a read-only overflow and requires the user to load and interact with a malicious emacs tags file. ### Acknowledgements The Vim project would like to thank the reporter Github users ehdgks0627 and un3xploitable for identifying the vulnerability and providing a proof-of-concept. ### References The issue has been fixed as of Vim patch [v9.2.0074](https://github.com/vim/vim/releases/tag/v9.2.0074). [Commit](https://github.com/vim/vim/commit/f6a7f469a9c0d09e84cd6cb) [Github Advisory](https://github.com/vim/vim/security/advisories/GHSA-h4mf-vg97-hj8j) Thanks Christian -- Ein einziger Aufwiegler taugt manchmal mehr als alle Abwiegler zusammen. -- Georg Büchner
