Unrated severityNVD Advisory· Published Feb 21, 2022· Updated Aug 2, 2024

NULL Pointer Dereference in vim/vim

CVE-2022-0696

Description

A NULL pointer dereference in Vim's cmdline window handling, fixed in 8.2.4428, can be triggered to crash or potentially execute code.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A NULL pointer dereference in Vim's cmdline window handling, fixed in 8.2.4428, can be triggered to crash or potentially execute code.

Vulnerability

A NULL pointer dereference vulnerability exists in Vim prior to version 8.2.4428, specifically in get_user_var_name(), find_ucmd(), and related functions when the cmdline window (cmdwin) is active. The code incorrectly used prevwin->w_buffer and prevwin->w_vars without checking if prevwin is NULL, leading to a crash. The issue is addressed in commit 0f6e28f686dbb59ab3b562408ab9b2234797b9b1 [2].

Exploitation

An attacker would need to convince a user to open a specially crafted file in Vim or perform an operation that triggers the cmdline window (e.g., pressing q: to enter the command-line window) while having specific buffer/window state. The vulnerability is reached through user interaction requiring the cmdline window path, but does not require elevated privileges beyond normal Vim usage.

Impact

Successful exploitation results in a NULL pointer dereference, causing a denial of service via crash. In the broader scope, Apple's advisory for macOS Ventura 13 notes that memory handling issues in image processing could lead to arbitrary code execution [1], though for this specific Vim vulnerability, the primary impact is program termination. The fix addresses the root cause by introducing a prevwin_curwin() function that safely handles the cmdwin case [2].

Mitigation

Users should upgrade to Vim version 8.2.4428 or later, released on February 21, 2022 [2]. For macOS users, the issue is addressed in macOS Ventura 13 [1]. No workaround is available; updating is the recommended action. The CVE is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.

References

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Vim/Vimllm-fuzzy2 versions
< 8.2.4428+ 1 more
- (no CPE)range: < 8.2.4428
- (no CPE)range: unspecified
osv-coords36 versions
pkg:rpm/opensuse/vim&distro=openSUSE%20Leap%2015.3 pkg:rpm/opensuse/vim&distro=openSUSE%20Leap%2015.4 pkg:rpm/opensuse/vim&distro=openSUSE%20Tumbleweed pkg:rpm/suse/vim&distro=SUSE%20Enterprise%20Storage%206 pkg:rpm/suse/vim&distro=SUSE%20Enterprise%20Storage%207 pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-ESPOS pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSS pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-ESPOS pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSS pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-ESPOS pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-LTSS pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Micro%205.1 pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Micro%205.2 pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP3 pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP4 pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP3 pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP4 pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCL pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-BCL pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4-LTSS pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5 pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-BCL pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSS pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-BCL pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSS pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2015-LTSS pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4 pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5 pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015 pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1 pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2 pkg:rpm/suse/vim&distro=SUSE%20Manager%20Proxy%204.1 pkg:rpm/suse/vim&distro=SUSE%20Manager%20Retail%20Branch%20Server%204.1 pkg:rpm/suse/vim&distro=SUSE%20Manager%20Server%204.1 pkg:rpm/suse/vim&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/vim&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209
< 8.2.5038-150000.5.21.1+ 35 more
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.4456-1.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 9.0.0814-17.9.1
- (no CPE)range: < 9.0.0814-17.9.1
- (no CPE)range: < 9.0.0814-17.9.1
- (no CPE)range: < 9.0.0814-17.9.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 9.0.0814-17.9.1
- (no CPE)range: < 9.0.0814-17.9.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 9.0.0814-17.9.1
- (no CPE)range: < 9.0.0814-17.9.1

Patches

No patches discovered yet.

Vulnerability mechanics

Root cause

"NULL pointer dereference when `prevwin` is accessed without a NULL check while switching tab pages inside the cmdline window."

Attack vector

An attacker who can cause a Vim user to switch tab pages (e.g., via `:tabnew` or `gt`) while the cmdline window is open triggers a NULL pointer dereference [ref_id=1]. The cmdline window sets `prevwin` to point to the previously focused window, but when switching tab pages, `prevwin` may be NULL or stale, and the old code unconditionally dereferenced `prevwin` without a NULL check [ref_id=1]. The attack requires the victim to have the cmdline window active and then perform a tab-switching operation.

Affected code

The patch modifies `get_user_var_name()`, `find_ucmd()`, `expand_user_command_name()`, `get_user_commands()`, `get_user_command_name()`, and `uc_list()` in Vim's source to replace conditional `is_in_cmdwin() ? prevwin->... : curbuf/curwin` logic with a call to the new helper function `prevwin_curwin()` [ref_id=1]. Additionally, `win_new_tabpage()`, `goto_tabpage()`, and `goto_tabpage_tp()` gain a `CHECK_CMDWIN` guard that returns an error when the cmdline window is active [ref_id=1].

What the fix does

The patch introduces a new helper function `prevwin_curwin()` that returns `prevwin` only when `is_in_cmdwin()` is true AND `prevwin` is not NULL, otherwise falling back to `curwin` [ref_id=1]. This prevents the NULL pointer dereference by ensuring `prevwin` is never dereferenced when it is NULL. Additionally, the patch adds `CHECK_CMDWIN` guards to `win_new_tabpage()`, `goto_tabpage()`, and `goto_tabpage_tp()` so that tab-switching operations are rejected with an error message when the cmdline window is active, eliminating the crash path entirely [ref_id=1].

Preconditions

inputThe victim must have the cmdline window open (cmdwin mode active).
inputThe victim must perform a tab-switching operation (e.g., :tabnew, gt) while in the cmdline window.

Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7ZLEHVP4LNAGER4ZDGUDS5V5YVQD6INF/mitrevendor-advisory
seclists.org/fulldisclosure/2022/Oct/28mitremailing-list
seclists.org/fulldisclosure/2022/Oct/41mitremailing-list
lists.debian.org/debian-lts-announce/2022/11/msg00032.htmlmitremailing-list
github.com/vim/vim/commit/0f6e28f686dbb59ab3b562408ab9b2234797b9b1mitre
huntr.dev/bounties/7416c2cb-1809-4834-8989-e84ff033f15fmitre
support.apple.com/kb/HT213488mitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000