Cyber Resilience

CVE-2026-28421

Medium

Published: 27 February 2026

Published
27 February 2026
Modified
04 March 2026
KEV Added
Patch
27 February 2026
CVSS Score v3.1 5.3 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
EPSS Score 0.0001 1.7th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-28421 is a medium-severity Improper Input Validation (CWE-20) vulnerability in Vim Vim. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 1.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-28421 is a vulnerability in Vim, an open source command-line text editor, affecting versions prior to 9.2.0077. It involves a heap buffer overflow and a segmentation fault in Vim's swap file recovery logic, triggered by unvalidated fields read from crafted pointer blocks within a swap file. The issues are classified under CWE-20 (Improper Input Validation) and CWE-122 (Heap-based Buffer Overflow), with a CVSS v3.1 base score of 5.3 (AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L).

An attacker with local access can exploit this vulnerability by crafting a malicious swap file and tricking a user into recovering it via Vim's recovery mechanism, which requires user interaction but no special privileges. Successful exploitation could result in limited impacts, including low-level disclosure of sensitive information, minor modification of data, or a denial of service through application crash.

Vim version 9.2.0077 addresses the vulnerability with fixes detailed in the associated GitHub commit (65c1a143c331c886dc28) and release notes. The GitHub security advisory (GHSA-r2gw-2x48-jj5p) and an oss-security mailing list post from February 27, 2026, recommend updating to the patched version to mitigate the risks.

EU & UK References

Vulnerability details

Vim is an open source, command line text editor. Versions prior to 9.2.0077 have a heap-buffer-overflow and a segmentation fault (SEGV) exist in Vim's swap file recovery logic. Both are caused by unvalidated fields read from crafted pointer blocks within…

more

a swap file. Version 9.2.0077 fixes the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
Why these techniques?

Heap buffer overflow in Vim swap file recovery enables exploitation via crafted malicious file requiring user interaction to trigger (T1204.002), directly supporting client-side code execution or impact in a text editor application (T1203).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-34714Same product: Vim Vim
CVE-2026-26269Same product: Vim Vim
CVE-2026-39881Same product: Vim Vim
CVE-2026-35177Same product: Vim Vim
CVE-2026-34982Same product: Vim Vim
CVE-2026-33412Same product: Vim Vim
CVE-2026-28417Same product: Vim Vim
CVE-2025-27423Same product: Vim Vim
CVE-2025-1215Same product: Vim Vim
CVE-2025-21395Shared CWE-122

Affected Assets

vim
vim
≤ 9.2.0077

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of untrusted input fields read from swap-file pointer blocks, eliminating the root cause of the heap overflow and SEGV.

prevent

Mandates timely application of the Vim 9.2.0077 patch that corrects the missing validation in swap-file recovery logic.

prevent

Provides memory-protection mechanisms that can contain or block exploitation of the heap-buffer-overflow condition during swap-file processing.

References