Use After Free in vim/vim
Description
A use-after-free vulnerability in Vim's buffer handling, triggered by :lopen and :bwipe commands, leads to memory corruption.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A use-after-free vulnerability in Vim's buffer handling, triggered by :lopen and :bwipe commands, leads to memory corruption.
Vulnerability
A use-after-free vulnerability exists in Vim, in the set_curbuf() function, affecting versions prior to 8.2.4281. When a user executes the :lopen command followed by :bwipe, an autocommand can delete the buffer that set_curbuf() is about to switch to, leading to use of freed memory. The patch [1] adds validation of the buffer pointer before calling enter_buffer(), and if the buffer is no longer valid, falls back to entering the last buffer instead.
Exploitation
An attacker must convince a user to open a crafted file or perform a specific sequence of commands (:lopen and :bwipe) in Vim. The exploitation relies on triggering an autocommand that deletes the buffer while set_curbuf() is executing. No authentication or special privileges are required beyond normal Vim usage.
Impact
Successful exploitation results in use of freed memory, which can lead to a crash (denial of service) or potentially arbitrary code execution. The vulnerability is classified as a use-after-free, which can be exploited to corrupt memory and achieve code execution under certain conditions [1][4].
Mitigation
Vim fixed this issue in version 8.2.4281, released on 2022-02-02. Users should update to Vim 8.2.4281 or later. Distributions such as Gentoo have released updated packages (e.g., vim-9.0.0060) [4]. There is no known workaround; upgrading is the recommended mitigation.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The result of buf_valid() was not cached, allowing enter_buffer() to be called on a buffer that had already been freed by an autocommand."
Attack vector
An attacker can trigger a use-after-free by causing Vim to execute `:lopen` followed by `:bwipe` (or similar autocommand-triggering operations) so that an autocommand deletes the buffer that `set_curbuf()` is about to enter. Because the return value of `buf_valid()` was not cached, the code could proceed to call `enter_buffer()` on a buffer that had already been freed, leading to a use-after-free condition [ref_id=1].
Affected code
The vulnerability is in `set_curbuf()` in Vim's buffer management code. The function stores a `bufref_T` for the buffer being switched away from, then later checks `buf_valid(buf)` to see if an autocommand has deleted the target buffer. Before the patch, the result of `buf_valid()` was used directly in a conditional without being saved, and when the buffer was invalid the code still called `enter_buffer(buf)` on the freed pointer [ref_id=1].
What the fix does
The patch caches the result of `buf_valid(buf)` into a local `int valid` variable before the conditional block. If `valid` is false but `curwin->w_buffer` is NULL, the code now calls `enter_buffer(lastbuf)` instead of `enter_buffer(buf)`, ensuring a valid buffer is entered. Additionally, the patch replaces a manual `vim_free`/`NULL` pair with `VIM_CLEAR` in `free_buf_options()` to prevent a related dangling-pointer issue [ref_id=1].
Preconditions
- inputAttacker must be able to supply or trigger a file/command sequence that causes Vim to run :lopen and :bwipe (or equivalent autocommand-triggering operations) in a way that deletes the buffer during set_curbuf().
- configThe target buffer must be deleted by an autocommand between the buf_valid() check and the enter_buffer() call.
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7ZLEHVP4LNAGER4ZDGUDS5V5YVQD6INF/mitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UFXFAILMLUIK4MBUEZO4HNBNKYZRJ5AP/mitrevendor-advisory
- security.gentoo.org/glsa/202208-32mitrevendor-advisory
- lists.debian.org/debian-lts-announce/2022/05/msg00022.htmlmitremailing-list
- lists.debian.org/debian-lts-announce/2022/11/msg00009.htmlmitremailing-list
- github.com/vim/vim/commit/9b4a80a66544f2782040b641498754bcb5b8d461mitre
- huntr.dev/bounties/b987c8cb-bbbe-4601-8a6c-54ff907c6b51mitre
News mentions
0No linked articles in our index yet.