CVE-2025-26603: 
Vim vulnerability analysis and mitigation

A heap use-after-free vulnerability was discovered in Vim versions prior to 9.1.1115, identified as CVE-2025-26603. The vulnerability was discovered on February 16, 2025, affecting Vim's register handling functionality when redirecting screen messages (Github Advisory, NVD).

The vulnerability occurs when using the :redir ex command to redirect screen messages to registers, variables, and files, particularly when displaying register contents using the :registers or :display ex command. When redirecting the output of :display to a register, Vim frees the register content before storing new content, leading to a use-after-free condition when the :display command is redirected to a register being displayed. The issue specifically affects the + and * registers (X11/clipboard registers) which fall back to register 0 when a clipboard connection is unavailable (Github Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 4.2 (Medium), with potential impacts including disclosure of sensitive information, modification of data, or Denial of Service (DoS). The impact is considered medium since it requires specific user interaction and command execution (Snyk, NetApp Advisory).

The vulnerability has been fixed in Vim patch 9.1.1115. The patch modifies Vim to skip outputting to register zero when trying to redirect to the clipboard registers * or +. Users are advised to upgrade to version 9.1.1115 or later. There are no known workarounds for this vulnerability (Github Advisory).

The vulnerability was responsibly disclosed by GitHub user @fizz-is-on-the-way. Various security vendors and organizations have published advisories, including NetApp, Red Hat, and Snyk, acknowledging the vulnerability and recommending updates to the patched version (Github Advisory).