VYPR
← All advisories
Unrated severityNVD Advisory· Published Jan 6, 2022· Updated Aug 2, 2024

Out-of-bounds Read in vim/vim

CVE-2022-0128

Description

An out-of-bounds read vulnerability in Vim versions prior to patch 8.2-4424 could be triggered by malicious input.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

An out-of-bounds read vulnerability in Vim versions prior to patch 8.2-4424 could be triggered by malicious input.

Vulnerability

CVE-2022-0128 is an out-of-bounds read vulnerability in Vim, a popular text editor. The issue affects Vim versions prior to the fix introduced in patch 8.2-4424. The vulnerability resides in the way Vim handles certain input, which can lead to reading memory beyond the intended buffer boundaries. [1][4]

Exploitation

An attacker could exploit this vulnerability by convincing a user to open a specially crafted file in Vim. No special privileges or network position is required aside from the ability to provide the malicious file to the victim. The user interaction is required to trigger the flaw. [1][4]

Impact

Successful exploitation could result in an out-of-bounds read, potentially leading to an unexpected application termination or disclosure of sensitive memory contents. [1][4]

Mitigation

The fix for CVE-2022-0128 was included in macOS Monterey 12.3, released March 14, 2022. [1] The underlying Vim patched version is 8.2-4424. [4] Users should update to the latest Vim version or apply the relevant macOS security update. There is no evidence that this CVE is listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.

References
  1. About the security content of macOS Monterey 12.3 - Apple Support
  2. security - Re: 3 new CVE's in vim

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

36

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing NUL-terminator check before comparing adjacent characters allows reading one byte beyond the end of the line."

Attack vector

An attacker can craft a Vim script file (or VimL code) containing a malformed command that ends with a single `+` or `-` character at the end of the line. When Vim processes this command in `find_ex_command()`, the missing NUL check causes the code to read `p[1]` — one byte past the end of the line — leading to an out-of-bounds read [ref_id=1]. The test case added in the patch shows that a script containing just "cal" (an incomplete command) triggers the issue [ref_id=1].

Affected code

The vulnerability is in the `find_ex_command()` function in Vim's source code. The patch also touches `compile_def_function()` in the same file. The bug occurs when checking for "++nr" and "--nr" patterns — the code compared `p[0] == p[1]` without first verifying that `p[0]` is not NUL, which could cause an out-of-bounds read one byte beyond the end of the line [ref_id=1].

What the fix does

The patch adds a `p[0] != NUL` check before the `p[0] == p[1]` comparison in both `find_ex_command()` and `compile_def_function()` [ref_id=1]. This ensures that when the command string is only one character long (or ends with a single `+` or `-`), the code does not attempt to read the byte at `p[1]`, which would be beyond the end of the string. The fix also includes a new test function `Test_go_beyond_end_of_cmd()` that verifies the malformed input now produces error E476 instead of reading out of bounds [ref_id=1].

Preconditions

  • inputAttacker must supply a Vim script file or VimL code that Vim processes
  • inputThe crafted command must end with a single '+' or '-' character at the end of the line (e.g., an incomplete command like 'cal')

Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

10

News mentions

0

No linked articles in our index yet.