cve 2026 28419

CVE-2026-28419 is a heap-based buffer underflow vulnerability in Vim's Emacs-style tags parsing, specifically in the emacs_tags_parse_line() function within src/tag.c. The flaw occurs when a malformed tags file places a delimiter at the very start of a line, leading to a one-byte underflow that can cause a crash (denial of service). This issue was fixed in Vim patch level 9.2.0075. The vulnerability affects users who open untrusted tags files in Vim, potentially allowing an attacker to trigger a denial of service. Windows users running Vim on their systems should apply the patch to mitigate this risk.