VYPR
← All advisories
Unrated severityNVD Advisory· Published Jan 30, 2022· Updated Aug 2, 2024

Use After Free in vim/vim

CVE-2022-0413

Description

A use-after-free in Vim's substitute command with a function expression can cause a crash or code execution.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A use-after-free in Vim's substitute command with a function expression can cause a crash or code execution.

Vulnerability

A use-after-free vulnerability exists in the ex_substitute function of Vim (prior to patch 8.2.4253, i.e., versions before 8.2.4253) [1]. When the substitute pattern begins with \= (indicating an expression), the code previously freed the old pattern but did not copy the substitute string before calling recursive functions that could free it. The fix introduces a copy (sub_copy) to prevent use of freed memory [1].

Exploitation

An attacker can trigger the use-after-free by providing a crafted substitution command (e.g., via :s/.../\=.../) when the substitute pattern starts with \=. No special authentication is required if the attacker can supply file content or command-line input to a Vim session. The recursive function call that frees the original sub pointer occurs during the expression evaluation [1].

Impact

Successful exploitation could lead to a crash (denial of service) or potentially arbitrary code execution, depending on how the freed memory is reallocated. The vulnerability stems from using freed memory after the substitute expression is evaluated [1].

Mitigation

The fix was committed to the Vim repository on 2022-01-30 as patch 8.2.4253 [1]. Users should upgrade to Vim 8.2.4253 or later. For distributions, updated packages are available (e.g., Fedora [2][3], Gentoo [4]). There is no known workaround.

References
  1. patch 8.2.4253: using freed memory when substitute with function call · vim/vim@37f4795
  2. Making sure you're not a bot!
  3. Making sure you're not a bot!
  4. Multiple Vulnerabilities (GLSA 202208-32) — Gentoo security

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

45

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Use-after-free in ex_substitute() when a substitute pattern starting with "\=" is evaluated, because a recursive function call can free the sub pointer while it is still in use."

Attack vector

An attacker can trigger a use-after-free by crafting a `:substitute` command where the replacement string starts with `"\="` (making it an expression) and the expression evaluation triggers a recursive call that frees the substitute pattern string. After the recursive call returns, the freed `sub` pointer is still used, causing undefined behavior. This can be exploited by providing a malicious file or input to a victim running Vim [ref_id=1]. The attacker does not need special privileges beyond the ability to supply text that the victim opens or edits with Vim.

Affected code

The vulnerability is in the `ex_substitute()` function in Vim's source code. The patch modifies the handling of substitute patterns that start with `"\="` (an expression). Before the fix, when a substitute pattern was an expression, the original `sub` pointer could be freed by a recursive function call during evaluation, leading to a use-after-free when the pointer was later accessed.

What the fix does

The patch makes a copy of the substitute string (`vim_strsave(sub)`) when the pattern starts with `"\="`, storing the copy in a new variable `sub_copy`. This ensures that even if a recursive function call frees the original string, the copy remains valid. The copy is freed at the end of `ex_substitute()` via `vim_free(sub_copy)` [ref_id=1]. This prevents the use-after-free by decoupling the substitute string from memory that could be freed during expression evaluation.

Preconditions

  • inputVictim must open a crafted file or input that triggers a :substitute command with an expression replacement
  • inputThe substitute pattern must start with '\=' to trigger the expression evaluation path

Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

7

News mentions

0

No linked articles in our index yet.