CVE-2025-26603 [Medium] | Use-After-Free in Vim

Vim is a greatly improved version of the good old UNIX editor Vi. Vim allows to redirect screen messages using the `:redir` ex command to register, variables and files. It also allows to show the contents of registers using the `:registers` or `:display` ex command. When redirecting the output of `:display` to a register, Vim will free the register content before storing the new content in the register. Now when redirecting the `:display` command to a register that is being displayed, Vim will free the content while shortly afterwards trying to access it, which leads to a use-after-free. Vim pre 9.1.1115 checks in the ex_display() function, that it does not try to redirect to a register while displaying this register at the same time. However this check is not complete, and so Vim does not check the `+` and `*` registers (which typically donate the X11/clipboard registers, and when a clipboard connection is not possible will fall back to use register 0 instead. In Patch 9.1.1115 Vim will therefore skip outputting to register zero when trying to redirect to the clipboard registers `*` or `+`. Users are advised to upgrade. There are no known workarounds for this vulnerability.

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2026-06-15	0.05%	0.22%	+0.17%
2	2025-11-21	0.08%	0.05%	-0.04%
3	2025-11-18	—	0.08%	—

Date

Old EPSS score

New EPSS score

Delta (New - Old)

2026-06-15

0.05%

0.22%

+0.17%

2025-11-21

0.08%

0.05%

-0.04%

2025-11-18

—

0.08%

—

Base score	Version	Severity	Vector	Exploitability	Impact	Score source
4.2	3.1	MEDIUM	`CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L` Click to expand Attack vector (AV:L) They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by. Attack complexity (AC:H) Even with access, the exploit needs extra luck, timing, or a fussy environment to actually work. Privileges required (PR:L) A normal user session is enough; they don’t have to be admin. User interaction (UI:R) A real person has to do something—click, install, enable—otherwise it doesn’t land. Scope (S:U) Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems. Confidentiality (C:L) Some sensitive info could get out, but not a total data dump. Integrity (I:L) Attackers could change some data, but it’s limited—not everything goes. Availability (A:L) Might cause slowdowns, glitches, or partial disruption—not a full brick.	0.8	3.4	[email protected]

Base score

Version

Severity

Vector

Exploitability

Impact

Score source

4.2

3.1

MEDIUM

CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L Click to expand

Attack vector (AV:L): They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by.
Attack complexity (AC:H): Even with access, the exploit needs extra luck, timing, or a fussy environment to actually work.
Privileges required (PR:L): A normal user session is enough; they don’t have to be admin.
User interaction (UI:R): A real person has to do something—click, install, enable—otherwise it doesn’t land.
Scope (S:U): Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:L): Some sensitive info could get out, but not a total data dump.
Integrity (I:L): Attackers could change some data, but it’s limited—not everything goes.
Availability (A:L): Might cause slowdowns, glitches, or partial disruption—not a full brick.

0.8

3.4

[email protected]

OS Trackers for CVE-2025-26603

vendor	priority	summary	link
`alpine`	—	CVE-2025-26603: 1 source package rows (vim); 215 state rows across 5 repos (3.19-main, 3.20-main, 3.21-main, 3.22-main, edge-main); fixed 2, open 213.	https://security.alpinelinux.org/vuln/CVE-2025-26603
`debian`	unimportant	CVE-2025-26603 unimportant priority: Debian including 1 source packages (vim), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 3, open 2.	https://security-tracker.debian.org/tracker/CVE-2025-26603
`redhat`	low	—	https://access.redhat.com/security/cve/CVE-2025-26603
`suse`	medium	CVE-2025-26603 severity moderate: SUSE including 6 source package names (gvim, vim, vim-data, vim-data-common, vim-small, xxd), 168 product×package rows across 41 product lines (SLES-LTSS-TERADATA 15 SP2, SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS, … (41 product lines)): Known Not Affected 168.	https://www.suse.com/security/cve/CVE-2025-26603/
`ubuntu`	medium	CVE-2025-26603 medium priority: Ubuntu including 1 source packages (vim), 8 status rows across 8 suites (bionic, focal, jammy, noble, oracular, trusty, upstream, xenial): released 8.	https://ubuntu.com/security/CVE-2025-26603

Affected software / configurations for CVE-2025-26603

Vendor	Product	Version	Raw CPE
vim	vim	< 9.1.1115	cpe:2.3:a:vim:vim::::::::
netapp	hci_compute_node	—	cpe:2.3:h:netapp:hci_compute_node:-:::::::*

References for CVE-2025-26603

URL	Tags
https://github.com/vim/vim/commit/c0f0e2380e5954f4a52a131bf6b8	Patch
https://github.com/vim/vim/security/advisories/GHSA-63p5-mwg2-787v	Vendor Advisory
https://security.netapp.com/advisory/ntap-20250306-0003/	Third Party Advisory

URL

CVE-2025-26603 | heap-use-after-free in function str_to_reg in vim/vim

Exploit prediction scoring system (EPSS) score for CVE-2025-26603

Common vulnerability scoring system (CVSS) metrics for CVE-2025-26603

Weakness enumeration for CVE-2025-26603

OS Trackers for CVE-2025-26603

Affected software / configurations for CVE-2025-26603

References for CVE-2025-26603