Use After Free in vim/vim
Description
A use-after-free vulnerability in vim's function line handling allows arbitrary code execution via a crafted file.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A use-after-free vulnerability in vim's function line handling allows arbitrary code execution via a crafted file.
Vulnerability
A use-after-free vulnerability exists in vim's handling of line continuations in function arguments and bodies. The bug resides in the get_function_line() and related functions, where a single pointer line_to_free was used to track allocated lines, but multiple lines could be allocated without proper management, leading to a use-after-free when a freed line is later accessed. This affects vim versions prior to patch 8.2.4040 [3].
Exploitation
An attacker can exploit this vulnerability by crafting a malicious file that triggers the use-after-free when opened in vim. No special privileges or network access are required; only user interaction (opening the file) is needed. The attacker must construct a file with specific line continuations in function definitions to cause the freed memory to be accessed.
Impact
Successful exploitation could lead to arbitrary code execution in the context of the vim process, or cause a denial of service via application crash. The impact is limited to the user's session, but could be leveraged for privilege escalation if vim is running with elevated privileges (e.g., editing system files).
Mitigation
The vulnerability is fixed in vim patch 8.2.4040, available in the commit 9f1a39a5d1cd7989ada2d1cb32f97d84360e050f [3]. Users should update to vim version 8.2.4040 or later. No workaround is available; updating is the recommended mitigation.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Use-after-free in Vim's function definition parsing due to a single pointer tracking the last allocated line, allowing a freed line to remain referenced via eap->cmdlinep."
Attack vector
An attacker can trigger this use-after-free by crafting a Vim script file (or persuading a user to open one) that defines a function with line continuations, causing `get_function_line()` to allocate and free lines in an unsafe manner. The old code used a single `line_to_free` pointer to track the last allocated line; when multiple lines were fetched, a previously freed line could still be referenced via `eap->cmdlinep`, leading to a use-after-free when that pointer is later dereferenced [ref_id=1]. No authentication or special privileges are required beyond opening the malicious file in Vim.
Affected code
The vulnerability affects Vim's function definition parsing code, specifically `get_function_line()`, `get_function_args()`, `get_function_body()`, `define_function()`, and `ex_function()` in the Vim source tree. The patch modifies these functions to replace a single `line_to_free` pointer with a `garray_T lines_to_free` array, fixing a use-after-free condition that occurs when multiple lines are allocated during function parsing.
What the fix does
The patch replaces the single `char_u *line_to_free` pointer with a `garray_T lines_to_free` growable array that tracks all allocated lines [ref_id=1]. Instead of freeing the old line and replacing the pointer on each new line fetch, the new code appends each line to `lines_to_free` via `ga_add_string()` and only frees the entire array at cleanup with `ga_clear_strings()`. This ensures no dangling pointer remains in `eap->cmdlinep` after a line is freed, closing the use-after-free window.
Preconditions
- inputVictim must open a crafted Vim script file (or be tricked into doing so) that defines a function with line continuations.
- authNo authentication or special privileges required beyond normal file access.
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
10- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3FH2J57GDA2WMBS6J56F6QQRA6BXQQFZ/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HD5S2FC2HF22A7XQXK2XXIR46EARVWIM/mitrevendor-advisoryx_refsource_FEDORA
- security.gentoo.org/glsa/202208-32mitrevendor-advisoryx_refsource_GENTOO
- seclists.org/fulldisclosure/2022/Jul/13mitremailing-listx_refsource_FULLDISC
- seclists.org/fulldisclosure/2022/Mar/29mitremailing-listx_refsource_FULLDISC
- www.openwall.com/lists/oss-security/2022/01/15/1mitremailing-listx_refsource_MLIST
- github.com/vim/vim/commit/9f1a39a5d1cd7989ada2d1cb32f97d84360e050fmitrex_refsource_MISC
- huntr.dev/bounties/47dded34-3767-4725-8c7c-9dcb68c70b36mitrex_refsource_CONFIRM
- support.apple.com/kb/HT213183mitrex_refsource_CONFIRM
- support.apple.com/kb/HT213344mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.