{"id":"CVE-2025-9390","details":"A security flaw has been discovered in vim up to 9.1.1615. Affected by this vulnerability is the function main of the file src/xxd/xxd.c of the component xxd. The manipulation results in buffer overflow. The attack requires a local approach. The exploit has been released to the public and may be exploited. Upgrading to version 9.1.1616 addresses this issue. The patch is identified as eeef7c77436a78cd27047b0f5fa6925d56de3cb0. It is recommended to upgrade the affected component.","modified":"2026-04-12T22:06:22.545037Z","published":"2025-08-24T14:15:32.413Z","references":[{"type":"ADVISORY","url":"https://github.com/vim/vim/releases/tag/v9.1.1616"},{"type":"ADVISORY","url":"https://vuldb.com/?id.321223"},{"type":"REPORT","url":"https://github.com/vim/vim/issues/17944"},{"type":"REPORT","url":"https://github.com/vim/vim/pull/17947"},{"type":"REPORT","url":"https://vuldb.com/?ctiid.321223"},{"type":"FIX","url":"https://github.com/vim/vim/commit/eeef7c77436a78cd27047b0f5fa6925d56de3cb0"},{"type":"EVIDENCE","url":"https://vuldb.com/?submit.630903"},{"type":"EVIDENCE","url":"https://drive.google.com/file/d/1JLnqrdcGsjUhbYzIEweXIGZyETjHlKtX/view?usp=sharing"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/vim/vim","events":[{"introduced":"6897f18ee6e5bb78b32c97616e484030fd514750"},{"fixed":"eeef7c77436a78cd27047b0f5fa6925d56de3cb0"}],"database_specific":{"versions":[{"introduced":"9.1.1459"},{"fixed":"9.1.1616"}]}}],"versions":["v9.1.1459","v9.1.1460","v9.1.1461","v9.1.1462","v9.1.1463","v9.1.1464","v9.1.1465","v9.1.1466","v9.1.1467","v9.1.1468","v9.1.1469","v9.1.1470","v9.1.1471","v9.1.1472","v9.1.1473","v9.1.1474","v9.1.1475","v9.1.1476","v9.1.1477","v9.1.1478","v9.1.1479","v9.1.1480","v9.1.1481","v9.1.1482","v9.1.1483","v9.1.1484","v9.1.1485","v9.1.1486","v9.1.1487","v9.1.1488","v9.1.1489","v9.1.1490","v9.1.1491","v9.1.1492","v9.1.1493","v9.1.1494","v9.1.1495","v9.1.1496","v9.1.1497","v9.1.1498","v9.1.1499","v9.1.1500","v9.1.1501","v9.1.1502","v9.1.1503","v9.1.1504","v9.1.1505","v9.1.1506","v9.1.1507","v9.1.1508","v9.1.1509","v9.1.1510","v9.1.1511","v9.1.1512","v9.1.1513","v9.1.1514","v9.1.1515","v9.1.1516","v9.1.1517","v9.1.1518","v9.1.1519","v9.1.1520","v9.1.1521","v9.1.1522","v9.1.1523","v9.1.1524","v9.1.1525","v9.1.1526","v9.1.1527","v9.1.1528","v9.1.1529","v9.1.1530","v9.1.1531","v9.1.1532","v9.1.1533","v9.1.1534","v9.1.1535","v9.1.1536","v9.1.1537","v9.1.1538","v9.1.1539","v9.1.1540","v9.1.1541","v9.1.1542","v9.1.1543","v9.1.1544","v9.1.1545","v9.1.1546","v9.1.1547","v9.1.1548","v9.1.1549","v9.1.1550","v9.1.1551","v9.1.1552","v9.1.1553","v9.1.1554","v9.1.1555","v9.1.1556","v9.1.1557","v9.1.1558","v9.1.1559","v9.1.1560","v9.1.1561","v9.1.1562","v9.1.1563","v9.1.1564","v9.1.1565","v9.1.1566","v9.1.1567","v9.1.1568","v9.1.1569","v9.1.1570","v9.1.1571","v9.1.1572","v9.1.1573","v9.1.1574","v9.1.1575","v9.1.1576","v9.1.1577","v9.1.1578","v9.1.1579","v9.1.1580","v9.1.1581","v9.1.1582","v9.1.1583","v9.1.1584","v9.1.1585","v9.1.1586","v9.1.1587","v9.1.1588","v9.1.1589","v9.1.1590","v9.1.1591","v9.1.1592","v9.1.1593","v9.1.1594","v9.1.1595","v9.1.1596","v9.1.1597","v9.1.1598","v9.1.1599","v9.1.1600","v9.1.1601","v9.1.1602","v9.1.1603","v9.1.1604","v9.1.1605","v9.1.1606","v9.1.1607","v9.1.1608","v9.1.1609","v9.1.1610","v9.1.1611","v9.1.1612","v9.1.1613","v9.1.1614","v9.1.1615"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-9390.json","vanir_signatures_modified":"2026-04-12T22:06:22Z","vanir_signatures":[{"id":"CVE-2025-9390-545cd7d2","target":{"file":"src/version.c"},"deprecated":false,"signature_type":"Line","source":"https://github.com/vim/vim/commit/eeef7c77436a78cd27047b0f5fa6925d56de3cb0","signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["146200493773228420153804765641940418619","303976677791630286096045370925254338436","121574565101660150049825050709379521444","119557921091085456748924720331822243908"]}},{"id":"CVE-2025-9390-6de4fabc","target":{"file":"src/xxd/xxd.c"},"deprecated":false,"signature_type":"Line","source":"https://github.com/vim/vim/commit/eeef7c77436a78cd27047b0f5fa6925d56de3cb0","signature_version":"v1","digest":{"threshold":0.9,"line_hashes":["158087685137704314170311652646734074912","89614836006123446940882212557251093597","326357989856749730751812924593347172047","291110553696249106278240497664780906679","260802338558753997844932921427808237206","334319519211017816964855896791474646317","255075478571797577041046332989960932485","78902608737783707864810700874854025632","184490192128955350613100218089405440403","237300896181439364795650945344408309731","300951593696228600760190804732080773978","70879017677679359255211148090922466651","40175417942086987455638428709504420426","97648455128164993643778868208302862644","41938932438571335929600091967327023894","104404853967886445003422184510568633011","141713077402126074255614984636022793020"]}},{"id":"CVE-2025-9390-c0097d10","target":{"file":"src/xxd/xxd.c","function":"main"},"deprecated":false,"signature_type":"Function","source":"https://github.com/vim/vim/commit/eeef7c77436a78cd27047b0f5fa6925d56de3cb0","signature_version":"v1","digest":{"length":10766,"function_hash":"210730670501933845658456527682973390957"}}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"}]}