new file mode 100644
@@ -0,0 +1,86 @@
+From 9b7dfa2948c9e1e5e32a5812812d580c7879f4a0 Mon Sep 17 00:00:00 2001
+From: Christian Brabandt <cb@256bit.org>
+Date: Mon, 23 Feb 2026 19:35:25 +0000
+Subject: [PATCH] patch 9.2.0075: [security]: Buffer underflow with emacs tag
+ file
+
+Problem: When parsing a malformed Emacs-style tags file, a 1-byte
+ heap-buffer-underflow read occurs if the 0x7f delimiter
+ appears at the very beginning of a line. This happens
+ because the code attempts to scan backward for a tag
+ name from the delimiter without checking if space exists.
+ (ehdgks0627, un3xploitable)
+Solution: Add a check to ensure the delimiter (p_7f) is not at the
+ start of the buffer (lbuf) before attempting to isolate
+ the tag name.
+
+GitHub Advisory:
+https://github.com/vim/vim/security/advisories/GHSA-xcc8-r6c5-hvwv
+
+Signed-off-by: Christian Brabandt <cb@256bit.org>
+
+
+CVE: CVE-2026-28419
+Upstream-Status: Backport [https://github.com/vim/vim/commit/9b7dfa2948c9e1e5e32a5812812d580c7879f4a0]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ src/tag.c | 3 +++
+ src/testdir/test_taglist.vim | 16 ++++++++++++++++
+ src/version.c | 2 ++
+ 3 files changed, 21 insertions(+)
+
+diff --git a/src/tag.c b/src/tag.c
+index 45af67f20d..d3a73997bb 100644
+--- a/src/tag.c
++++ b/src/tag.c
+@@ -2023,6 +2023,9 @@ etag_fail:
+ }
+ else // second format: isolate tagname
+ {
++ if (p_7f == lbuf)
++ goto etag_fail;
++
+ // find end of tagname
+ for (p = p_7f - 1; !vim_iswordc(*p); --p)
+ if (p == lbuf)
+diff --git a/src/testdir/test_taglist.vim b/src/testdir/test_taglist.vim
+index 506e64f7ae..42ecc4b76e 100644
+--- a/src/testdir/test_taglist.vim
++++ b/src/testdir/test_taglist.vim
+@@ -316,4 +316,20 @@ func Test_evil_emacs_tagfile()
+ set tags&
+ endfunc
+
++" This used to crash Vim due to a heap-buffer-underflow
++func Test_emacs_tagfile_underflow()
++ CheckFeature emacs_tags
++ " The sequence from the crash artifact:
++ let lines = [
++ \ "\x0c\xff\xffT\x19\x8a",
++ \ "\x19\x19\x0dtags\x19\x19\x19\x00\xff\xff\xff",
++ \ "\x7f3\x0c"
++ \ ]
++ call writefile(lines, 'Xtags', 'D')
++ set tags=Xtags
++ call assert_fails(':tag a', 'E431:')
++
++ set tags&
++endfunc
++
+ " vim: shiftwidth=2 sts=2 expandtab
+diff --git a/src/version.c b/src/version.c
+index 7d265ab641..4f47ec2688 100644
+--- a/src/version.c
++++ b/src/version.c
+@@ -724,6 +724,8 @@ static char *(features[]) =
+
+ static int included_patches[] =
+ { /* Add new patch number below this line */
++/**/
++ 1686,
+ /**/
+ 1685,
+ /**/
+--
+2.50.1
+
@@ -20,6 +20,7 @@ SRC_URI = "git://github.com/vim/vim.git;branch=master;protocol=https \
file://CVE-2026-25749.patch \
file://CVE-2026-26269.patch \
file://CVE-2026-28418.patch \
+ file://CVE-2026-28419.patch \
"
PV .= ".1683"
Pick patch from [1] also mentioned in [2] [1] https://github.com/vim/vim/commit/9b7dfa2948c9e1e5e32a5812812d580c7879f4a0 [2] https://nvd.nist.gov/vuln/detail/CVE-2026-28419 Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> --- .../vim/files/CVE-2026-28419.patch | 86 +++++++++++++++++++ meta/recipes-support/vim/vim.inc | 1 + 2 files changed, 87 insertions(+) create mode 100644 meta/recipes-support/vim/files/CVE-2026-28419.patch