CVE-2026-28421
Published: 27 February 2026
Summary
CVE-2026-28421 is a medium-severity Improper Input Validation (CWE-20) vulnerability in Vim Vim. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 1.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-28421 is a vulnerability in Vim, an open source command-line text editor, affecting versions prior to 9.2.0077. It involves a heap buffer overflow and a segmentation fault in Vim's swap file recovery logic, triggered by unvalidated fields read from crafted pointer blocks within a swap file. The issues are classified under CWE-20 (Improper Input Validation) and CWE-122 (Heap-based Buffer Overflow), with a CVSS v3.1 base score of 5.3 (AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L).
An attacker with local access can exploit this vulnerability by crafting a malicious swap file and tricking a user into recovering it via Vim's recovery mechanism, which requires user interaction but no special privileges. Successful exploitation could result in limited impacts, including low-level disclosure of sensitive information, minor modification of data, or a denial of service through application crash.
Vim version 9.2.0077 addresses the vulnerability with fixes detailed in the associated GitHub commit (65c1a143c331c886dc28) and release notes. The GitHub security advisory (GHSA-r2gw-2x48-jj5p) and an oss-security mailing list post from February 27, 2026, recommend updating to the patched version to mitigate the risks.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-9089
Vulnerability details
Vim is an open source, command line text editor. Versions prior to 9.2.0077 have a heap-buffer-overflow and a segmentation fault (SEGV) exist in Vim's swap file recovery logic. Both are caused by unvalidated fields read from crafted pointer blocks within…
more
a swap file. Version 9.2.0077 fixes the issue.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Heap buffer overflow in Vim swap file recovery enables exploitation via crafted malicious file requiring user interaction to trigger (T1204.002), directly supporting client-side code execution or impact in a text editor application (T1203).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of untrusted input fields read from swap-file pointer blocks, eliminating the root cause of the heap overflow and SEGV.
Mandates timely application of the Vim 9.2.0077 patch that corrects the missing validation in swap-file recovery logic.
Provides memory-protection mechanisms that can contain or block exploitation of the heap-buffer-overflow condition during swap-file processing.