VYPR
← All advisories
Unrated severityNVD Advisory· Published Jan 26, 2022· Updated Nov 3, 2025

Heap-based Buffer Overflow in vim/vim

CVE-2022-0359

Description

A heap-based buffer overflow in Vim's ex mode command-line buffer allows arbitrary code execution via a crafted file with large 'tabstop' values.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A heap-based buffer overflow in Vim's ex mode command-line buffer allows arbitrary code execution via a crafted file with large 'tabstop' values.

Vulnerability

A heap-based buffer overflow exists in Vim's init_ccline() function when processing the command-line buffer in Ex mode. When tabstop (ts) is set to a large value, the initial buffer allocation is insufficient, leading to a heap overflow during command-line editing. This affects Vim versions prior to 8.2.4214, which includes the fix in patch 8.2.4214 [3].

Exploitation

An attacker can trigger the vulnerability by crafting a file containing a large indent (e.g., via set ts=500 ai) and then entering Ex mode (e.g., with gQ). No authentication or specific privileges are required; the user only needs to open the malicious file and execute the Ex mode command sequence [3].

Impact

Successful exploitation allows arbitrary code execution on the victim's system. The vulnerability is memory corruption-based, with a CVSS score reflecting high severity. The attacker gains the ability to execute arbitrary code in the context of the Vim process, potentially leading to further system compromise [1], [3].

Mitigation

The vulnerability is fixed in Vim version 8.2.4214 and later, as well as in the corresponding patch released in 2022. Users should upgrade to Vim 8.2.4214 or later. Gentoo users are advised to update to >=app-editors/vim-9.0.0060 [4]. There is no known workaround [4]. Apple also addressed this issue in macOS Ventura 13 (as CVE-2022-0359) [1] and macOS Monterey 12.6 (as CVE-2022-42789) [2].

References
  1. About the security content of macOS Ventura 13 - Apple Support
  2. About the security content of macOS Monterey 12.6 - Apple Support
  3. patch 8.2.4214: illegal memory access with large 'tabstop' in Ex mode · vim/vim@85b6747
  4. Multiple Vulnerabilities (GLSA 202208-32) — Gentoo security

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

43

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

10

News mentions

0

No linked articles in our index yet.