Use of Out-of-range Pointer Offset in vim/vim
Description
A use-of-out-of-range pointer offset in Vim's wildcard expansion with 'wildignorecase' set can cause a crash via crafted multi-byte characters.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A use-of-out-of-range pointer offset in Vim's wildcard expansion with 'wildignorecase' set can cause a crash via crafted multi-byte characters.
Vulnerability
The vulnerability is a use-of-out-of-range pointer offset in the unix_expandpath function of Vim, triggered when the wildignorecase option is enabled. The code incorrectly uses the isalpha function on multi-byte characters, leading to an out-of-bounds read. This affects Vim versions prior to 8.2.4418. The fix, introduced in patch 8.2.4418, adds a safe vim_isalpha function and replaces the problematic isalpha call [2].
Exploitation
An attacker can exploit this by crafting a file or directory name containing a special multi-byte character and convincing a user to perform a wildcard expansion (e.g., via :e or :tabedit) with the wildignorecase option set. No authentication is required; the attack relies on user interaction. The crash occurs during the expansion of wildcards [2].
Impact
Successful exploitation results in a denial of service (crash) of Vim. The commit message and test confirm a crash [2]. The Gentoo advisory lists this CVE among multiple vulnerabilities that could lead to denial of service [4].
Mitigation
The fix is included in Vim version 8.2.4418 and later. Users should upgrade to at least that version. Gentoo recommends upgrading to >=9.0.0060 [4]. No workaround is known [2][4].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Use of the C library `isalpha()` macro on a multi-byte character's lead byte, which can return a negative value that is then used as an out-of-range pointer offset, causing a crash."
Attack vector
An attacker can trigger this vulnerability by opening a file or typing a command containing a specially crafted multi-byte character (e.g., "űŤŤŤ¦*") in a context where Vim performs wildcard expansion with `'wildignorecase'` enabled. The `isalpha()` call on the lead byte of such a character can return a negative value, which is then used as an out-of-range pointer offset, leading to a crash [ref_id=1]. The test added in the patch shows the crash is reproducible with the command `tc űŤŤŤ¦*` when `'wic'` (wildignorecase) is set [ref_id=1].
Affected code
The vulnerable code is in `src/misc2.c` (now `src/charclass.c`) in the `unix_expandpath()` function, where `isalpha(PTR2CHAR(path_end))` is called on a multi-byte character's lead byte [ref_id=1]. The patch also adds the new `vim_isalpha()` function to `src/proto/charclass.pro` and the test to `src/testdir/test_cmdline.vim` [ref_id=1].
What the fix does
The patch replaces the C library `isalpha()` call with a new `vim_isalpha()` function that internally calls `vim_islower()` and `vim_isupper()`, which are already safe for multi-byte characters [ref_id=1]. This ensures the character classification works correctly on multi-byte lead bytes and never returns a negative value that could be used as an out-of-range pointer offset. The fix also adds a test case (`Test_multibyte`) that verifies the crash no longer occurs [ref_id=1].
Preconditions
- configThe 'wildignorecase' option must be enabled (set wic).
- inputThe attacker must supply a specially crafted multi-byte character sequence (e.g., 'űŤŤŤ¦*') in a context where Vim performs wildcard expansion.
Reproduction
1. Run Vim with a version prior to 8.2.4418. 2. Execute the command: `:set wic` 3. Execute the command: `:tc űŤŤŤ¦*` 4. Vim will crash with an out-of-range pointer offset [ref_id=1].
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7ZLEHVP4LNAGER4ZDGUDS5V5YVQD6INF/mitrevendor-advisory
- security.gentoo.org/glsa/202208-32mitrevendor-advisory
- seclists.org/fulldisclosure/2022/Oct/28mitremailing-list
- seclists.org/fulldisclosure/2022/Oct/41mitremailing-list
- lists.debian.org/debian-lts-announce/2022/03/msg00018.htmlmitremailing-list
- lists.debian.org/debian-lts-announce/2022/11/msg00009.htmlmitremailing-list
- github.com/vim/vim/commit/5921aeb5741fc6e84c870d68c7c35b93ad0c9f87mitre
- huntr.dev/bounties/27230da3-9b1a-4d5d-8cdf-4b1e62fcd782mitre
- support.apple.com/kb/HT213488mitre
News mentions
0No linked articles in our index yet.