CVE-2026-26269

Description

Vim is an open source, command line text editor. Prior to 9.1.2148, a stack buffer overflow vulnerability exists in Vim's NetBeans integration when processing the specialKeys command, affecting Vim builds that enable and use the NetBeans feature. The Stack buffer overflow exists in special_keys() (in src/netbeans.c). The while (*tok) loop writes two bytes per iteration into a 64-byte stack buffer (keybuf) with no bounds check. A malicious NetBeans server can overflow keybuf with a single specialKeys command. The issue has been fixed as of Vim patch v9.1.2148.

Read the notes from the security team

Why is this CVE low priority?

This is a minor denial of service issue

Learn more about Ubuntu priority

• How can I get the fixes?
• What do statuses mean?
• Patch details

Get expanded security coverage with Ubuntu Pro

Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.

Notes

Patch details

References

• MITRE
• NVD
• Launchpad
• Debian

Related Ubuntu Security Notices (USN)

• USN-8101-1
• Vim vulnerabilities
• 16 March 2026

Other references

• https://www.cve.org/CVERecord?id=CVE-2026-26269
• https://github.com/vim/vim/security/advisories/GHSA-9w5c-hwr9-hc68
• https://github.com/vim/vim/releases/tag/v9.1.2148
• http://www.openwall.com/lists/oss-security/2026/02/13/2