CVE-2026-26269
Published: 13 February 2026
Summary
CVE-2026-26269 is a medium-severity Stack-based Buffer Overflow (CWE-121) vulnerability in Vim Vim. Its CVSS base score is 5.4 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 15.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stack buffer overflow in Vim client (NetBeans integration) directly enables adversaries to exploit a client-side vulnerability via a malicious server, matching T1203 Exploitation for Client Execution. Limited memory corruption/DoS impacts are achievable with user-assisted connection to attacker infrastructure.
NVD Description
Vim is an open source, command line text editor. Prior to 9.1.2148, a stack buffer overflow vulnerability exists in Vim's NetBeans integration when processing the specialKeys command, affecting Vim builds that enable and use the NetBeans feature. The Stack buffer…
more
overflow exists in special_keys() (in src/netbeans.c). The while (*tok) loop writes two bytes per iteration into a 64-byte stack buffer (keybuf) with no bounds check. A malicious NetBeans server can overflow keybuf with a single specialKeys command. The issue has been fixed as of Vim patch v9.1.2148.
Deeper analysisAI
CVE-2026-26269 is a stack buffer overflow vulnerability in Vim, an open source command-line text editor. It affects Vim versions prior to 9.1.2148 that have the NetBeans integration feature enabled and in use. The flaw resides in the special_keys() function within src/netbeans.c, where a while (*tok) loop writes two bytes per iteration into a fixed 64-byte stack buffer named keybuf without performing bounds checks. This allows overflow via a specially crafted specialKeys command.
An attacker can exploit this vulnerability by operating a malicious NetBeans server to which a victim connects using a vulnerable Vim instance. Exploitation requires network access to the server, low attack complexity, no privileges, and user interaction, such as the user manually connecting Vim to the attacker's NetBeans server. Successful exploitation can result in limited integrity and availability impacts, with a CVSS v3.1 base score of 5.4 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L), potentially leading to memory corruption, denial of service, or limited code manipulation depending on the context.
The vulnerability has been addressed in Vim patch v9.1.2148, as detailed in the official GitHub commit c5f312aad8e4179e437f81ad39a860cd0ef11970, the release page for v9.1.2148, and the security advisory GHSA-9w5c-hwr9-hc68. Security practitioners should update to Vim 9.1.2148 or later and disable NetBeans integration if not required, with further discussion available on the oss-security mailing list from February 13, 2026.
Details
- CWE(s)