{ "affected": [ { "ranges": [ { "events": [ { "introduced": "d2cc51f9a1a5a30ef5d2e732f49d7f495cae24cf" }, { "fixed": "36d6e87542cf823d833e451e09a90ee429899cec" } ], "repo": "https://github.com/vim/vim", "type": "GIT" } ] } ], "aliases": [ "GHSA-9phh-423r-778r" ], "database_specific": { "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-476" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/32xxx/CVE-2026-32249.json" }, "details": "Vim is an open source, command line text editor. From 9.1.0011 to before 9.2.0137, Vim's NFA regex compiler, when encountering a collection containing a combining character as the endpoint of a character range (e.g. [0-0\\u05bb]), incorrectly emits the composing bytes of that character as separate NFA states. This corrupts the NFA postfix stack, resulting in NFA_START_COLL having a NULL out1 pointer. When nfa_max_width() subsequently traverses the compiled NFA to estimate match width for the look-behind assertion, it dereferences state-\u003eout1-\u003eout without a NULL check, causing a segmentation fault. This vulnerability is fixed in 9.2.0137.", "id": "CVE-2026-32249", "modified": "2026-04-01T23:09:55.838862582Z", "published": "2026-03-12T19:17:23.954Z", "references": [ { "type": "WEB", "url": "https://github.com/vim/vim/releases/tag/v9.2.0137" }, { "type": "ADVISORY", "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/32xxx/CVE-2026-32249.json" }, { "type": "ADVISORY", "url": "https://github.com/vim/vim/security/advisories/GHSA-9phh-423r-778r" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32249" }, { "type": "FIX", "url": "https://github.com/vim/vim/commit/36d6e87542cf823d833e451e09a90ee429899cec" } ], "schema_version": "1.7.3", "severity": [ { "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "type": "CVSS_V3" } ], "summary": "NFA regex engine NULL pointer dereference affects Vim \u003c 9.2.0137" }