Use of Out-of-range Pointer Offset in vim/vim
Description
An out-of-range pointer offset in Vim prior to 8.2 can lead to denial of service or potential code execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An out-of-range pointer offset in Vim prior to 8.2 can lead to denial of service or potential code execution.
Vulnerability
Use of out-of-range pointer offset in Vim versions prior to 8.2, specifically in the buffer handling code when iterating through buffers. The issue occurs in the do_buffer_ext function when skipping quickfix buffers, leading to an invalid pointer dereference. The vulnerability is present in all versions before 8.2 and was fixed in patch 8.2.4327 [2].
Exploitation
An attacker can exploit this vulnerability by tricking a user into opening a maliciously crafted file in Vim. The exploit requires no special privileges and involves triggering a specific sequence of commands that cause all buffers to be wiped out, as demonstrated in the test case added in the fix commit [2].
Impact
Successful exploitation could result in a denial of service (crash) or potentially arbitrary code execution. The Gentoo security advisory rates this as a denial of service issue, but the memory safety nature of the bug suggests possible code execution [4].
Mitigation
The vulnerability is fixed in Vim version 8.2.4327 and later. Users should upgrade to the latest version, with Gentoo recommending version >=9.0.0060 [4]. If immediate upgrade is not possible, avoid opening untrusted files in Vim as a workaround.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
8- osv-coords6 versionspkg:rpm/almalinux/vim-commonpkg:rpm/almalinux/vim-enhancedpkg:rpm/almalinux/vim-filesystempkg:rpm/almalinux/vim-minimalpkg:rpm/almalinux/vim-X11pkg:rpm/opensuse/vim&distro=openSUSE%20Tumbleweed
< 2:8.2.2637-16.el9_0.2+ 5 more
- (no CPE)range: < 2:8.2.2637-16.el9_0.2
- (no CPE)range: < 2:8.2.2637-16.el9_0.2
- (no CPE)range: < 2:8.2.2637-16.el9_0.2
- (no CPE)range: < 2:8.2.2637-16.el9_0.2
- (no CPE)range: < 2:8.2.2637-16.el9_0.2
- (no CPE)range: < 9.0.0453-2.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing exclusion of quickfix buffers in `do_buffer_ext()` allows selection of a buffer that may be deleted before use, causing an out-of-range pointer offset."
Attack vector
An attacker can craft a sequence of Vim commands that triggers the use of a quickfix buffer after it has been wiped. The test case in the patch shows a reproduction: calling a function that opens a quickfix list (`tab lopen`), editing a file, and then using `bwipe` while switching windows. This causes `do_buffer_ext()` to select a quickfix buffer that is about to be deleted, leading to an out-of-range pointer offset when the buffer's memory is accessed after deallocation [ref_id=1].
Affected code
The vulnerability is in the `do_buffer_ext()` function in Vim's buffer management code. The patch modifies multiple locations within this function where buffer selection logic failed to exclude quickfix buffers, which could be deleted soon after being referenced.
What the fix does
The patch adds `bt_quickfix(buf)` checks at four points in `do_buffer_ext()` to skip quickfix buffers when selecting the next buffer to switch to. The commit message explains: "Skip current and unlisted bufs. Also skip a quickfix buffer, it might be deleted soon" [ref_id=1]. This prevents the function from returning a pointer to a quickfix buffer that could be wiped before it is used, closing the use-after-free / out-of-range pointer offset.
Preconditions
- inputAttacker must be able to supply or trigger a Vim script that opens a quickfix list, switches buffers, and wipes buffers in a specific sequence
- configVim must be compiled with the FEAT_QUICKFIX feature enabled
Reproduction
The patch includes a test function `Test_lopen_bwipe_all()` that reproduces the issue [ref_id=1]:
1. Create a Vim script with a function `R()` that runs `silent! tab lopen`, `e foo`, and `silent! lfile`. 2. Call `R()`, then execute `exe "norm \<C-W>\<C-V>0"` to split the window, then call `R()` again. 3. Run `bwipe` to wipe the current buffer. 4. Without the fix, this sequence causes all buffers to be wiped out, triggering the out-of-range pointer offset.
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7ZLEHVP4LNAGER4ZDGUDS5V5YVQD6INF/mitrevendor-advisory
- security.gentoo.org/glsa/202208-32mitrevendor-advisory
- seclists.org/fulldisclosure/2022/Oct/28mitremailing-list
- seclists.org/fulldisclosure/2022/Oct/41mitremailing-list
- lists.debian.org/debian-lts-announce/2022/03/msg00018.htmlmitremailing-list
- lists.debian.org/debian-lts-announce/2022/11/msg00009.htmlmitremailing-list
- github.com/vim/vim/commit/e3537aec2f8d6470010547af28dcbd83d41461b8mitre
- huntr.dev/bounties/7e8f6cd0-b5ee-48a2-8255-6a86f4c46c71mitre
- support.apple.com/kb/HT213488mitre
News mentions
0No linked articles in our index yet.