{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32249", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-11T14:47:05.686Z", "datePublished": "2026-03-12T19:17:23.954Z", "dateUpdated": "2026-03-13T16:16:31.836Z"}, "containers": {"cna": {"title": "NFA regex engine NULL pointer dereference affects Vim < 9.2.0137", "problemTypes": [{"descriptions": [{"cweId": "CWE-476", "lang": "en", "description": "CWE-476: NULL Pointer Dereference", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/vim/vim/security/advisories/GHSA-9phh-423r-778r", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/vim/vim/security/advisories/GHSA-9phh-423r-778r"}, {"name": "https://github.com/vim/vim/commit/36d6e87542cf823d833e451e09a90ee429899cec", "tags": ["x_refsource_MISC"], "url": "https://github.com/vim/vim/commit/36d6e87542cf823d833e451e09a90ee429899cec"}, {"name": "https://github.com/vim/vim/releases/tag/v9.2.0137", "tags": ["x_refsource_MISC"], "url": "https://github.com/vim/vim/releases/tag/v9.2.0137"}], "affected": [{"vendor": "vim", "product": "vim", "versions": [{"version": ">= 9.1.0011, < 9.2.0137", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-12T19:17:23.954Z"}, "descriptions": [{"lang": "en", "value": "Vim is an open source, command line text editor. From 9.1.0011 to before 9.2.0137, Vim's NFA regex compiler, when encountering a collection containing a combining character as the endpoint of a character range (e.g. [0-0\\u05bb]), incorrectly emits the composing bytes of that character as separate NFA states. This corrupts the NFA postfix stack, resulting in NFA_START_COLL having a NULL out1 pointer. When nfa_max_width() subsequently traverses the compiled NFA to estimate match width for the look-behind assertion, it dereferences state->out1->out without a NULL check, causing a segmentation fault. This vulnerability is fixed in 9.2.0137."}], "source": {"advisory": "GHSA-9phh-423r-778r", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-13T16:16:20.237064Z", "id": "CVE-2026-32249", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-13T16:16:31.836Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "NFA regex engine NULL pointer dereference affects Vim < 9.2.0137", "source": {"advisory": "GHSA-9phh-423r-778r", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "vim", "product": "vim", "versions": [{"status": "affected", "version": ">= 9.1.0011, < 9.2.0137"}]}], "references": [{"url": "https://github.com/vim/vim/security/advisories/GHSA-9phh-423r-778r", "name": "https://github.com/vim/vim/security/advisories/GHSA-9phh-423r-778r", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/vim/vim/commit/36d6e87542cf823d833e451e09a90ee429899cec", "name": "https://github.com/vim/vim/commit/36d6e87542cf823d833e451e09a90ee429899cec", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/vim/vim/releases/tag/v9.2.0137", "name": "https://github.com/vim/vim/releases/tag/v9.2.0137", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Vim is an open source, command line text editor. From 9.1.0011 to before 9.2.0137, Vim's NFA regex compiler, when encountering a collection containing a combining character as the endpoint of a character range (e.g. [0-0\\u05bb]), incorrectly emits the composing bytes of that character as separate NFA states. This corrupts the NFA postfix stack, resulting in NFA_START_COLL having a NULL out1 pointer. When nfa_max_width() subsequently traverses the compiled NFA to estimate match width for the look-behind assertion, it dereferences state->out1->out without a NULL check, causing a segmentation fault. This vulnerability is fixed in 9.2.0137."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-476", "description": "CWE-476: NULL Pointer Dereference"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-12T19:17:23.954Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32249", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-13T16:16:20.237064Z"}}}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-03-13T16:16:24.007Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-32249", "state": "PUBLISHED", "dateUpdated": "2026-03-12T19:17:23.954Z", "dateReserved": "2026-03-11T14:47:05.686Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-12T19:17:23.954Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:vim:vim:*:*:*:*:*:*:*:*", "matchCriteriaId": "83D71745-798E-4425-82EC-1396F4C9F239", "versionEndExcluding": "9.1.0137", "versionStartIncluding": "9.1.0011", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Vim is an open source, command line text editor. From 9.1.0011 to before 9.2.0137, Vim's NFA regex compiler, when encountering a collection containing a combining character as the endpoint of a character range (e.g. [0-0\\u05bb]), incorrectly emits the composing bytes of that character as separate NFA states. This corrupts the NFA postfix stack, resulting in NFA_START_COLL having a NULL out1 pointer. When nfa_max_width() subsequently traverses the compiled NFA to estimate match width for the look-behind assertion, it dereferences state->out1->out without a NULL check, causing a segmentation fault. This vulnerability is fixed in 9.2.0137."}, {"lang": "es", "value": "Vim es un editor de texto de c\u00f3digo abierto de l\u00ednea de comandos. Desde la versi\u00f3n 9.1.0011 hasta antes de la 9.2.0137, el compilador de expresiones regulares NFA de Vim, al encontrar una colecci\u00f3n que contiene un car\u00e1cter combinatorio como punto final de un rango de caracteres (por ejemplo, [0-0\\u05bb]), emite incorrectamente los bytes de composici\u00f3n de ese car\u00e1cter como estados NFA separados. Esto corrompe la pila postfija NFA, lo que resulta en que NFA_START_COLL tenga un puntero out1 NULL. Cuando nfa_max_width() posteriormente recorre el NFA compilado para estimar el ancho de coincidencia para la aserci\u00f3n de look-behind, desreferencia state-&gt;out1-&gt;out sin una verificaci\u00f3n de NULL, causando un fallo de segmentaci\u00f3n. Esta vulnerabilidad se corrige en la versi\u00f3n 9.2.0137."}], "id": "CVE-2026-32249", "lastModified": "2026-03-18T11:50:06.000", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.4, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-12T20:16:05.523", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/vim/vim/commit/36d6e87542cf823d833e451e09a90ee429899cec"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/vim/vim/releases/tag/v9.2.0137"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/vim/vim/security/advisories/GHSA-9phh-423r-778r"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-476"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "vim: NFA regex engine NULL pointer dereference", "id": "2447110", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2447110"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-476", "details": ["A flaw was found in Vim. A NULL pointer dereference can occur when the NFA regex compiler processes a specific character collection, more specifically one that contains a combining character acting as the endpoint of a character range (e.g., [0-0\\u05bb]). A process or user that can supply a regex pattern can cause an application crash, resulting in a denial of service."], "mitigation": {"lang": "en:us", "value": "To mitigate this vulnerability, disable the NFA (Non-deterministic Finite Automaton) regex engine and enable the traditional backtracking engine by adding the following option to the Vim configuration file:\n~~~\nset regexpengine=1\n~~~"}, "name": "CVE-2026-32249", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "vim", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "vim", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "vim", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "vim", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "vim", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "rhcos", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2026-03-12T19:17:23Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-32249\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-32249\nhttps://github.com/vim/vim/commit/36d6e87542cf823d833e451e09a90ee429899cec\nhttps://github.com/vim/vim/releases/tag/v9.2.0137\nhttps://github.com/vim/vim/security/advisories/GHSA-9phh-423r-778r"], "statement": "To exploit this issue, an attacker needs to be able to supply a malicious regex pattern to be processed by the NFA regex compiler, including via plugins or command line arguments. Also, this flaw can cause an application crash, resulting only in a denial of service with no other security impact. Due to these reasons, this vulnerability has been rated with low severity.", "threat_severity": "Low"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[9.1.0011,9.2.0137)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "vim", "source": "cna", "vendor": "vim"}, "product": "vim", "vendor": "vim"}], "analysis": {"en": {"generated_at": "2026-03-18T13:21:24.928342+00:00", "value": {"mitigation_remediation": ["Upgrade Vim to version 9.2.0137 or a later release.", "Verify the installed Vim version with `vim --version` before applying the patch."], "summary": {"action": "Update", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "The vulnerability affects Vim versions from 9.1.0011 up through 9.2.0136. Affected vendors include vim:vim. Users running any of these versions are at risk until they upgrade.", "description_and_impact": "Vim\u2019s NFA regex compiler contains a null pointer dereference that leads to a segmentation fault. When a regular expression contains a character range whose endpoint includes a combining character, such as [0-0\\u05bb], the compiler emits composing bytes as separate NFA states. This corrupts the NFA postfix stack, causing the NFA_START_COLL state\u2019s out1 pointer to be NULL. A later traversal for look\u2011behind estimation dereferences state->out1->out without a NULL check, producing a crash. The impact is a denial of service via an application crash; no remote code execution or privilege escalation is indicated. The weakness is identified as CWE-476.", "risk_and_exploitability": "The CVSS score is 5.3, indicating moderate severity, while the EPSS score is below 1%, implying a low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires delivering a crafted regular expression to Vim, which is most likely a local attack vector; however, if Vim is invoked on untrusted content with elevated privileges, the resulting crash could compromise availability for that session. The official fix is to upgrade to Vim 9.2.0137 or later."}}}}, "created": "2026-03-13T09:50:08.381596+00:00", "updated": "2026-03-23T09:54:55.184746+00:00", "vendors": ["vim", "vim$PRODUCT$vim"]}