Out-of-bounds Read in vim/vim
Description
An out-of-bounds read in Vim versions prior to 8.2.4217 allows a denial of service through specially crafted undo operations.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An out-of-bounds read in Vim versions prior to 8.2.4217 allows a denial of service through specially crafted undo operations.
Vulnerability
An out-of-bounds read vulnerability exists in the undo functionality of Vim versions prior to 8.2.4217 [3]. The issue occurs in u_undo_end() when an undo operation causes the Visual area to extend beyond the end of a line. The fix adds a check_pos() call if VIsual_active is set, preventing access to invalid memory [3]. The vulnerability was addressed in patch 8.2.4217 [3].
Exploitation
An attacker could exploit this by providing a crafted file or sequence of undo commands that trigger the invalid memory access [3]. The proof-of-concept in the patch shows a sequence using set undolevels, undo, and normal mode commands that reproduce the issue [3]. No authentication or special network access is required, as the vulnerability can be triggered locally by opening a malicious file.
Impact
Successful exploitation results in a denial of service condition, such as a crash, due to the out-of-bounds read [3][4]. Gentoo's security advisory lists denial of service as the primary impact [4]. There is no evidence of remote code execution or data exfiltration from the available references.
Mitigation
Vim version 9.0.0060 and later are not affected [4]. Gentoo recommends upgrading to >=app-editors/vim-9.0.0060 [4]. The fix was included in Vim patch 8.2.4217 [3]. Users of previous versions should update their Vim installation. No workaround is available [4].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing bounds check after undo operation allows the Visual area end position to point beyond the end of a line, causing an out-of-bounds read."
Attack vector
An attacker can craft a text file that, when opened in Vim and the user performs a specific sequence of edits and undo operations, causes the Visual area end position to extend past the end of a line [ref_id=1]. The sequence involves inserting text, setting 'undolevels' to create a new undo block, performing a search, and then executing undo followed by a Visual-mode command. This triggers an out-of-bounds read when Vim accesses memory beyond the allocated line buffer during the Visual area check.
Affected code
The vulnerable code is in the `u_undo_end()` function in Vim's undo.c file [ref_id=1]. The patch inserts a bounds check after the undo completion logic, before the status message is displayed. No specific function name is given in the patch beyond the context of the undo end routine.
What the fix does
The patch adds a call to `check_pos(curbuf, &VIsual)` inside `u_undo_end()`, guarded by a check that Visual mode is active (`if (VIsual_active)`) [ref_id=1]. This validates that the Visual area end position is within the bounds of the current buffer after an undo operation completes. The fix ensures that any Visual area that became invalid due to undo (e.g., pointing past the end of a line) is corrected before it can be used in subsequent operations, preventing the out-of-bounds read.
Preconditions
- inputVictim must open a crafted file in Vim and perform a specific sequence of edits, searches, and undo operations
- configVim must be configured with 'undolevels' set to a positive value (undo enabled)
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
10- security.gentoo.org/glsa/202208-32mitrevendor-advisory
- seclists.org/fulldisclosure/2022/Oct/28mitremailing-list
- seclists.org/fulldisclosure/2022/Oct/41mitremailing-list
- seclists.org/fulldisclosure/2022/Oct/43mitremailing-list
- lists.debian.org/debian-lts-announce/2022/03/msg00018.htmlmitremailing-list
- lists.debian.org/debian-lts-announce/2022/11/msg00009.htmlmitremailing-list
- github.com/vim/vim/commit/8d02ce1ed75d008c34a5c9aaa51b67cbb9d33baamitre
- huntr.dev/bounties/bca9ce1f-400a-4bf9-9207-3f3187cb3fa9mitre
- support.apple.com/kb/HT213444mitre
- support.apple.com/kb/HT213488mitre
News mentions
0No linked articles in our index yet.