VYPR
← All advisories
Unrated severityNVD Advisory· Published Jan 21, 2022· Updated Aug 2, 2024

Out-of-bounds Read in vim/vim

CVE-2022-0319

Description

Out-of-bounds read in vim's window exchange operation during Visual mode can be triggered by opening a crafted file, leading to information disclosure.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Out-of-bounds read in vim's window exchange operation during Visual mode can be triggered by opening a crafted file, leading to information disclosure.

Vulnerability

An out-of-bounds read vulnerability exists in vim prior to version 8.2.4154, specifically in the win_exchange() function. The issue occurs when exchanging windows during Visual mode, as demonstrated in the commit fixing the bug [3]. Affected versions include all vim releases before the patch (8.2.4154).

Exploitation

An attacker can exploit this by crafting a file that, when opened in vim, triggers an exchange of windows in Visual mode (e.g., via the `` command). The user must open the malicious file and perform the window exchange sequence, but no special privileges are required beyond having vim installed.

Impact

Successful exploitation results in an out-of-bounds read, which may lead to information disclosure. The bug manifests as an ml_get error and could potentially be used to read sensitive memory content.

Mitigation

The fix was applied in commit 05b27615481e72e3b338bb12990fb3e0c2ecc2a9, included in vim 8.2.4154 and later releases [3]. The Gentoo security advisory recommends upgrading to vim >=9.0.0060 [4]. Users should update their vim installations to the latest version.

References
  1. patch 8.2.4154: ml_get error when exchanging windows in Visual mode · vim/vim@05b2761
  2. Multiple Vulnerabilities (GLSA 202208-32) — Gentoo security

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

40

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing check for whether the target window's buffer differs from the current buffer before restoring Visual selection, leading to an out-of-bounds read via ml_get."

Attack vector

An attacker can trigger the out-of-bounds read by entering Visual mode (e.g., blockwise Visual via Ctrl-V), then exchanging windows with Ctrl-W Ctrl-X, and finally inserting text with O. When the window exchange occurs, the code in win_exchange() attempts to restore the Visual selection or cursor position without verifying that the target window's buffer (wp->w_buffer) is the same as the current buffer (curbuf). If they differ, subsequent operations on the stale cursor position cause ml_get to read out of bounds [ref_id=1]. The attack requires the ability to open multiple windows and execute these normal-mode commands.

Affected code

The vulnerable function is win_exchange() in src/window.c, around line 1691. The patch adds a buffer-equality check before restoring Visual state [ref_id=1]. A related whitespace fix is applied to win_alloc_lines() at line 5337.

What the fix does

The patch adds two guards in win_exchange() [ref_id=1]. First, if wp->w_buffer != curbuf, it resets the Visual selection entirely (reset_VIsual_and_resel()), preventing any stale cursor from being used on the wrong buffer. Second, if the buffers match but Visual mode is active, it copies the current window's cursor to the target window (wp->w_cursor = curwin->w_cursor), ensuring the cursor position is valid for the correct buffer. A minor whitespace fix is also applied to win_alloc_lines().

Preconditions

  • inputAttacker must be able to enter Visual mode (e.g., blockwise Visual with Ctrl-V) in a Vim session with multiple windows.
  • networkNo network precondition; the attack is triggered locally via normal-mode commands.

Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

10

News mentions

0

No linked articles in our index yet.