VYPR
← All advisories
Unrated severityNVD Advisory· Published Jan 28, 2022· Updated Aug 2, 2024

Out-of-bounds Read in vim/vim

CVE-2022-0393

Description

Out-of-bounds read in Vim's delete_buff_tail function when recording in Select mode, leading to crash or memory disclosure.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Out-of-bounds read in Vim's delete_buff_tail function when recording in Select mode, leading to crash or memory disclosure.

Vulnerability

An out-of-bounds read vulnerability exists in the delete_buff_tail function in Vim's buffer handling code. The function fails to check whether buf->bh_curr or buf->bh_curr->b_str is NULL before calling STRLEN, leading to a read from an invalid memory address. This code path is reachable when recording in Select mode. Affected versions are Vim prior to patch 8.2.4233 (i.e., before 8.2.4233). [1]

Exploitation

An attacker can trigger the vulnerability by crafting a sequence of Vim commands that involve recording in Select mode. The attacker needs to be able to execute arbitrary Vim commands, typically by tricking a user into opening a malicious file or executing a macro. No special privileges are required; the user must be using an affected version and perform the specific recording action. [1]

Impact

Successful exploitation results in an out-of-bounds read, which can cause a crash (denial of service) or potentially leak sensitive memory contents. The impact is limited to the Vim process; no remote code execution is indicated in the available references. [1]

Mitigation

The vulnerability is fixed in Vim patch 8.2.4233, released on 2022-01-28. Users should upgrade to Vim 8.2.4233 or later. For distributions, updates are available via package managers (e.g., Gentoo GLSA 202208-32 recommends upgrading to >=9.0.0060). No workaround is known. [1][4]

References
  1. patch 8.2.4233: crash when recording and using Select mode · vim/vim@a4bc2dd
  2. Multiple Vulnerabilities (GLSA 202208-32) — Gentoo security

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

3

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing NULL-pointer check in delete_buff_tail() allows out-of-bounds read when the buffer header's current entry or its string pointer is NULL."

Attack vector

An attacker can trigger this out-of-bounds read by causing Vim to record typed characters while in Select mode. When recording stops, delete_buff_tail() is called on a buffer header whose bh_curr pointer (or its b_str member) is NULL, and the function calls STRLEN on the NULL pointer without a prior check [ref_id=1]. The crash occurs during normal editing operations when the recording register is finalized, requiring no special privileges beyond the ability to open a file in Vim and enter Select mode.

Affected code

The vulnerable function is delete_buff_tail() in the Vim source, which lacked a NULL check on buf->bh_curr and buf->bh_curr->b_str before calling STRLEN() [ref_id=1]. The patch modifies this function and adds a test function Test_record_in_select_mode.

What the fix does

The patch adds a NULL-pointer guard at the top of delete_buff_tail() that returns early if buf->bh_curr is NULL or buf->bh_curr->b_str is NULL [ref_id=1]. This prevents the subsequent STRLEN() call from dereferencing a NULL pointer. The patch also adds a regression test (Test_record_in_select_mode) that reproduces the crash scenario by recording in Select mode and verifying the output is correct [ref_id=1].

Preconditions

  • inputAttacker must be able to cause Vim to enter Select mode and perform a recording operation (q command).
  • networkNo network access required; the attack is triggered locally through crafted editor input.

Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.