[Security] MacVim affected by CVE-2026-45130 — spell file heap buffer overflow (vim < 9.2.0450)
Summary
MacVim bundles the vim source at version 9.2 (patches 1-332 in the current build), which is
below the patched version 9.2.0450 that fixes CVE-2026-45130.
Vulnerability Details
- Upstream CVE: CVE-2026-45130
- Inherited from:
vim/vim
- Affected code:
src/spellfile.c, function read_compound()
- Vulnerability type: CWE-122 — Heap-Based Buffer Overflow
- Fixed in: vim 9.2.0450 (commit
92993329178cb1f72d700fff45ca86e1c2d369f8)
Root Cause
In read_compound() in src/spellfile.c, the buffer size for the compound pattern is
computed as:
int c;
int todo = len; // len is the 4-byte section length from the .spl file
c = todo * 2 + 7;
if (enc_utf8)
c += todo * 2; // total: todo * 4 + 7
pat = alloc(c);When enc_utf8 is active, todo * 4 + 7 is computed using signed 32-bit arithmetic.
For certain values of len (e.g., 0x40000002), the multiplication overflows the signed
32-bit integer, producing a small positive c. The subsequent alloc(c) returns an
undersized buffer. The loop that follows then writes up to todo * 4 bytes into this
tiny buffer, causing a heap-based buffer overflow.
The fix (commit 92993329) changes the computation to use size_t arithmetic:
size_t patsize = (size_t)todo * 2 + 7;
patsize += (size_t)todo * 2;
Affected MacVim Code
MacVim's src/spellfile.c (merged from vim/vim) contains the vulnerable code:
// src/spellfile.c around line 1278 (macvim r183)
c = todo * 2 + 7;
if (enc_utf8)
c += todo * 2;
pat = alloc(c);Affected MacVim Version
MacVim r183 (vim 9.2 patches 1-332) — current HEAD as of 2026-05-18.
The fix commit 92993329178cb1f72d700fff45ca86e1c2d369f8 from vim/vim is not present
in the macvim-dev/macvim repository:
git log --all --oneline | grep 92993329 # returns no output
Suggested Fix
Merge or cherry-pick vim/vim patches up to at least 9.2.0450:
References
[Security] MacVim affected by CVE-2026-45130 — spell file heap buffer overflow (vim < 9.2.0450)
Summary
MacVim bundles the vim source at version 9.2 (patches 1-332 in the current build), which is
below the patched version 9.2.0450 that fixes CVE-2026-45130.
Vulnerability Details
vim/vimsrc/spellfile.c, functionread_compound()92993329178cb1f72d700fff45ca86e1c2d369f8)Root Cause
In
read_compound()insrc/spellfile.c, the buffer size for the compound pattern iscomputed as:
When
enc_utf8is active,todo * 4 + 7is computed using signed 32-bit arithmetic.For certain values of
len(e.g.,0x40000002), the multiplication overflows the signed32-bit integer, producing a small positive
c. The subsequentalloc(c)returns anundersized buffer. The loop that follows then writes up to
todo * 4bytes into thistiny buffer, causing a heap-based buffer overflow.
The fix (commit
92993329) changes the computation to usesize_tarithmetic:Affected MacVim Code
MacVim's
src/spellfile.c(merged fromvim/vim) contains the vulnerable code:Affected MacVim Version
MacVim r183 (vim 9.2 patches 1-332) — current HEAD as of 2026-05-18.
The fix commit
92993329178cb1f72d700fff45ca86e1c2d369f8fromvim/vimis not presentin the
macvim-dev/macvimrepository:Suggested Fix
Merge or cherry-pick
vim/vimpatches up to at least 9.2.0450:References