Donate Telegram

CVE-2026-28420

MEDIUM CVSS 3.1: 4.4 EPSS 0.01%

Feb 27, 2026

Updated Feb 28, 2026

Vim

Parameter	Value
CVSS	4.4 (MEDIUM)
Type	CWE-122 (Heap-based Buffer Overflow), CWE-125 (Out-of-bounds Read)
Vendor	Vim
Public PoC	No

Vim is an open source, command line text editor. Prior to version 9.2.0076, a heap-based buffer overflow WRITE and an out-of-bounds READ exist in Vim's terminal emulator when processing maximum combining characters from Unicode supplementary planes. Version 9.2.0076 fixes the issue.

Attack Parameters

Attack Vector

Local

Requires local access

Attack Complexity

Low

Easy to exploit

Privileges Required

None

No privileges needed

User Interaction

Required

User action required

Impact Assessment

Confidentiality

None

No data leak

Integrity

Low

Partial data modification

Availability

Low

Partial disruption

CVSS Vector v3.1

Weakness Type (CWE)

CWE-122 Heap-based Buffer Overflow

CWE-125 Out-of-bounds Read

References 4

https://github.com/vim/vim/commit/bb6de2105b160e729c34063

security-advisories@github.com

https://github.com/vim/vim/releases/tag/v9.2.0076

security-advisories@github.com

https://github.com/vim/vim/security/advisories/GHSA-rvj2-jrf9-2phg

security-advisories@github.com

http://www.openwall.com/lists/oss-security/2026/02/27/9

af854a3a-2127-422b-91ae-364da2661108

Share Post Share Share Share

Related Vulnerabilities

CVE-2026-33412

Vim

CVE-2026-28422

Vim

CVE-2026-28421

Vim

CVE-2026-28419

Vim

CVE-2026-28418

Vim

CVE Details

CVE ID

CVE-2026-28420

Published Date

Feb 27, 2026

Vendor

Vim

Severity

MEDIUM

CVSS v3.1 Score

4.4

Medium severity. Plan remediation.

Attack Analysis

Exploitability 1.8/10

How easy to exploit

Impact 2.5/10

Severity of consequences

Exploit Prediction (EPSS)

Probability of Exploit 0.01%

Likelihood of exploitation in next 30 days

Percentile: 0.2th percentile (higher than 0.2% of all CVEs)

Standard patching cycle

Impact

Partial data modification

Partial service disruption

Source

Editor's Choice