Heap-based Buffer Overflow in vim/vim

Vulnerability

A heap-based buffer overflow exists in Vim versions prior to 8.2.4245 (patch 8.2.4245) in the tabstop handling functions. The vulnerability occurs when tabstop_set() or ex_retab() process tabstop values without proper bounds checking; previously, values were only checked against a hardcoded limit of 9999, but the fix introduces TABSTOP_MAX and adds validation in set_num_option() and paste_option_changed() to prevent out-of-bounds memory access [1]. The issue is triggered when a user opens a specially crafted file or executes the :retab command with an excessively large argument.

Exploitation

An attacker can exploit this vulnerability by providing a crafted file that, when opened in Vim, sets a tabstop value exceeding the internal buffer size, or by tricking a user into running :retab 0 or similar commands with a large number. No authentication is required; the attacker only needs to deliver the malicious file or command to the victim. The exploit sequence involves the heap buffer being overwritten due to insufficient validation, leading to memory corruption.

Impact

Successful exploitation allows an attacker to cause a heap-based buffer overflow, potentially leading to arbitrary code execution or a denial of service (crash). The attacker gains the ability to execute code in the context of the Vim process, which could lead to further compromise of the system.

Mitigation

The vulnerability is fixed in Vim version 8.2.4245 (commit 652dee448618589de5528a9e9a36995803f5557a) [1]. Users should upgrade to this version or later. The Gentoo security advisory (GLSA 202208-32) recommends upgrading to Vim 9.0.0060 or later [4]. No workaround is available; upgrading is the only mitigation.