VYPR
← All advisories
Unrated severityNVD Advisory· Published Jan 28, 2022· Updated Nov 3, 2025

Heap-based Buffer Overflow in vim/vim

CVE-2022-0392

Description

A heap-based buffer overflow in Vim's bracketed paste in Ex mode allows arbitrary code execution.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A heap-based buffer overflow in Vim's bracketed paste in Ex mode allows arbitrary code execution.

Vulnerability

A heap-based buffer overflow exists in Vim's bracketed paste functionality when used in Ex mode, as described in the CVE description. The vulnerability resides in the bracketed_paste() function, where a missing NUL terminator space allocation can cause a heap buffer overwrite. The issue was resolved in patch 8.2.4218, which adjusts the memory grow check from gap->ga_data size idx to idx + 1. Versions prior to Vim 8.2 are affected [3] [4].

Exploitation

An attacker with the ability to supply a crafted input to Vim's bracketed paste in Ex mode can trigger the overflow. The attack requires user interaction: the victim must paste attacker-controlled data while Vim is in Ex mode. The proof-of-concept test pastes more than 40 bytes of input (e.g., 60 zeros) to reproduce the condition [3]. No authentication or special network position is required beyond delivering the malicious paste payload.

Impact

Successful exploitation leads to arbitrary code execution, as the heap overflow corrupts adjacent memory structures. This may allow an attacker to execute arbitrary commands in the context of the Vim process. The CVE description notes a memory consumption issue, but the Apple security reference [1] confirms “arbitrary code execution” as the impact. Gentoo's advisory [4] lists denial of service as a possibility, but the primary risk is code execution.

Mitigation

Users should upgrade to Vim version 8.2 (or later) which includes patch 8.2.4218, released on January 28, 2022 [3]. Gentoo recommends upgrading to Vim 9.0.0060 or gVim equivalent [4]. Apple incorporated the fix in macOS Ventura 13 [1] and Monterey 12.6 [2] by updating their bundled Vim. No workaround other than upgrading is available.

References
  1. About the security content of macOS Ventura 13 - Apple Support
  2. About the security content of macOS Monterey 12.6 - Apple Support
  3. patch 8.2.4218: illegal memory access with bracketed paste in Ex mode · vim/vim@806d037
  4. Multiple Vulnerabilities (GLSA 202208-32) — Gentoo security

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

43

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

9

News mentions

0

No linked articles in our index yet.