Heap-based Buffer Overflow in vim/vim

Vulnerability

CVE-2022-0213 describes a heap-based buffer overflow in vim. The flaw resides in the status line rendering code, specifically in the NameBuff handling within win_redr_status(). When a file with an extremely long name is opened and the status line is redrawn (e.g., on :redraw! or certain modeline actions), the code can write beyond the allocated buffer NameBuff. The overflow is triggered in versions prior to patch 8.2.4074 [2].

Exploitation

An attacker would need to provide a crafted file with an overlong file name and entice the user to open it in vim. The user must then trigger a status line redraw (e.g., by switching windows or using :redraw!). The attacker does not require any special network position or authentication beyond being able to serve or send the file to the victim. The overflow occurs when the code appends a space character to indicate buffer status (help, preview, changed, readonly) without first checking that len < MAXPATHL - 1 [2].

Impact

Successful exploitation results in a heap-based buffer overflow, which can corrupt adjacent heap memory. This may cause a crash (denial of service) or, in theory, allow arbitrary code execution, though the complexity of controlling the overwritten data is high. In the context of vim, an attacker could potentially execute arbitrary commands with the privileges of the vim process [1].

Mitigation

The fix is included in vim patch 8.2.4074, released on 2021-10-04 [2]. Users should upgrade to vim version 9.0.0060 or later to receive all cumulative fixes [3]. There is no known workaround; however, users can mitigate risk by not opening untrusted files in vim or by using a tool like view in read-only mode [3].