Vim is an open source, command line text editor. Prior to 9.2.0725, the single-byte branch of spell_soundfold_sal() in src/spell.c translates a word through a spell file's SAL sound-folding rules into a caller-owned result buffer, but its result writes are guarded with reslen < MAXWLEN, allowing reslen to reach MAXWLEN before res[reslen] = NUL writes one byte past the end of the MAXWLEN-element stack buffer. A boundary-length word passed to soundfold(), or reached via sound-based spell suggestion while a SAL-based spell language is active under a non-multibyte 8-bit encoding, can corrupt the eval_soundfold() stack frame and crash the editor. This issue is fixed in version 9.2.0725.
2:8.2.3995-1ubuntu2.342:9.1.0016-1ubuntu7.182:9.1.2141-1ubuntu4.72:7.4.052-1ubuntu3.1+esm312:7.4.1689-3ubuntu1.5+esm372:8.0.1453-1ubuntu1.13+esm222:8.1.2269-1ubuntu5.32+esm10Exploitability
AV:LAC:LAT:PPR:NUI:AVulnerable System
VC:NVI:NVA:HSubsequent System
SC:NSI:NSA:NCVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N