Multiple Vulnerabilities in Swap File Recovery affect Vim < 9.2.0077 ==================================================================== Date: 27.02.2026 Severity: Moderate CVE: CVE-2026-28421 CWE: Heap-based Buffer Overflow (CWE-122) / Improper Input Validation (CWE-20)
### Summary A heap-buffer-overflow and a segmentation fault (SEGV) exist in Vim's swap file recovery logic. Both are caused by unvalidated fields read from crafted pointer blocks within a swap file. ### Description During swap file recovery, ml_recover() reads pointer block entries (pe_bnum, pe_line_count, pe_page_count, etc.) directly from the file. 1) Heap Overflow: If a crafted swap file provides bogus block numbers (`pe_bnum`) or page counts (`pe_page_count`) that exceed the swap file size, `mf_get()` fails. Vim attempts to recover by appending "???MANY LINES MISSING" via ml_append(). A crafted file can trigger this enough times to overflow the db_index array in the current data block. 2) SEGV: If `pe_bnum` is negative, Vim attempts to read from the original file using `readfile()`. Because the offsets (`pe_old_lnum`) and counts (`pe_line_count`) from the swap file are not validated, Vim passes garbage parameters to `readfile()`, resulting in a segmentation fault. ### Impact An attacker who can provide a crafted swap file to a user (e.g., via a shared project directory) can trigger a crash or potentially execute arbitrary code when the user attempts to recover the file. ### Acknowledgements The Vim project would like to thank the reporter Github users ehdgks0627 and un3xploitable for identifying the vulnerability and providing a proof-of-concept. ### References The issue has been fixed as of Vim patch [v9.2.0077](https://github.com/vim/vim/releases/tag/v9.2.0077) [Commit](https://github.com/vim/vim/commit/65c1a143c331c886dc28) [Github Advisory](https://github.com/vim/vim/security/advisories/GHSA-r2gw-2x48-jj5p) Thanks, Christian -- Heißt der Bildschirm Bildschirm, weil er Bilder abschirmt?
