VYPR
← All advisories
Unrated severityNVD Advisory· Published Jan 30, 2022· Updated Aug 2, 2024

Heap-based Buffer Overflow in vim/vim

CVE-2022-0407

Description

A heap-buffer overflow in Vim's yank_copy_line function prior to version 8.2 could allow local attackers to trigger a crash or code execution.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A heap-buffer overflow in Vim's yank_copy_line function prior to version 8.2 could allow local attackers to trigger a crash or code execution.

Vulnerability

A heap-based buffer overflow exists in the yank_copy_line function of Vim prior to version 8.2 (patch 8.2.4219). The flaw occurs when a loop that strips trailing whitespace from a line incorrectly checks the index before accessing the buffer, potentially reading before the start of the line [1]. This is triggered during a visual block yank operation (zy), as demonstrated in the included test case [1].

Exploitation

An attacker with local access to Vim must craft a file or input that causes the vulnerable code path to be executed. The attacker needs to invoke a visual block yank operation on a line that causes the loop to access out-of-bounds memory. The issue is reproducible with a specific sequence of keystrokes (:exe "norm o\\\zy") [1]. No special privileges beyond being able to run Vim are required.

Impact

Successful exploitation results in reading memory before the start of the buffer, which could disclose sensitive information or cause a crash. In worst-case scenarios, this heap-based overflow could be leveraged for arbitrary code execution. The vulnerability affects the confidentiality and integrity of the system [1][2].

Mitigation

The issue is fixed in Vim version 8.2.4219, released on 2022-01-30 [1]. Users should upgrade to Vim 9.0.0060 or later as recommended by Gentoo [2]. No workarounds are available; applying the patch or updating the software is the only mitigation [2].

References
  1. patch 8.2.4219: reading before the start of the line · vim/vim@44db821
  2. Multiple Vulnerabilities (GLSA 202208-32) — Gentoo security

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

38

Patches

0

No patches discovered yet.

Vulnerability mechanics

Synthesis attempt was rejected by the grounding validator. Re-run pending.

References

3

News mentions

0

No linked articles in our index yet.