Login Sign Up

CVE-2025-9390

5.3 MEDIUM
Buffer Overflow

📋 TL;DR

A buffer overflow vulnerability in vim's xxd component allows local attackers to execute arbitrary code or cause denial of service. The flaw exists in the main function of src/xxd/xxd.c and affects vim installations up to version 9.1.1615. Attackers with local access can exploit this to potentially gain elevated privileges.

💻 Affected Systems

Products:
  • vim
Versions: up to version 9.1.1615
Operating Systems: All operating systems running vulnerable vim versions
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects systems where xxd is installed and accessible. xxd is typically included with vim installations.

📦 What is this software?

Vim by Vim

View all CVEs affecting Vim →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local privilege escalation leading to full system compromise, arbitrary code execution as the user running xxd, or complete system crash.

🟠

Likely Case

Denial of service (xxd crash) or limited code execution within the context of the user running xxd.

🟢

If Mitigated

Minimal impact if proper access controls limit local user privileges and xxd usage is restricted.

🌐 Internet-Facing: LOW - This is a local-only vulnerability requiring access to the system.
🏢 Internal Only: MEDIUM - Internal users with local access could exploit this, but requires specific conditions and user interaction.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploit requires local access and user interaction with xxd. The exploit has been released publicly according to the CVE description.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 9.1.1616

Vendor Advisory: https://github.com/vim/vim/releases/tag/v9.1.1616

Restart Required: No

Instructions:

1. Update vim using your system's package manager (apt-get upgrade vim, yum update vim, etc.)
2. Verify installation of vim version 9.1.1616 or later
3. No service restart required as xxd is a command-line utility

🔧 Temporary Workarounds

Remove or restrict xxd access

all

Remove execute permissions from xxd binary or restrict access via permissions/ACLs

sudo chmod -x /usr/bin/xxd
sudo chmod 000 /usr/bin/xxd

Disable xxd via package management

linux

Remove xxd package if installed separately

sudo apt-get remove xxd
sudo yum remove xxd

🧯 If You Can't Patch

  • Implement strict access controls to limit which users can execute xxd
  • Monitor for unusual xxd execution patterns or crashes

🔍 How to Verify

Check if Vulnerable:

Check vim version: vim --version | head -1. If version is 9.1.1615 or earlier, system is vulnerable.

Check Version:

vim --version | head -1

Verify Fix Applied:

Verify vim version is 9.1.1616 or later: vim --version | head -1

📡 Detection & Monitoring

Log Indicators:

  • xxd process crashes
  • segmentation faults in xxd
  • unusual xxd execution patterns

Network Indicators:

  • None - local-only vulnerability

SIEM Query:

Process:Name='xxd' AND (EventID=1000 OR EventID=1001) OR Process:Name='xxd' AND CommandLine CONTAINS suspicious_pattern

📊 Metadata

CVE ID: CVE-2025-9390
CVSS v3 Score: 5.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-119
EPSS Score: 0.04% exploit probability (10.7th percentile)
Published: August 24, 2025
Last Updated: September 24, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-9390, you might also want to check these:

CVE-2024-23613 10.0

A critical buffer overflow vulnerability in Symantec Deployment Solution 7.9 allows remote, unauthen...

Same vulnerability type (CWE-119)
CVE-2024-23615 10.0

A critical buffer overflow vulnerability in Symantec Messaging Gateway allows remote unauthenticated...

Same vulnerability type (CWE-119)
CVE-2026-2776 10.0

This CVE describes a sandbox escape vulnerability in Firefox's Telemetry component due to incorrect ...

Same vulnerability type (CWE-119)