Unrated severityNVD Advisory· Published Feb 22, 2022· Updated Aug 2, 2024

Heap-based Buffer Overflow in vim/vim

CVE-2022-0714

Description

Heap-based buffer overflow in vim's change_indent function when processing a crafted 'vartabstop' value, allowing arbitrary code execution.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Heap-based buffer overflow in vim's change_indent function when processing a crafted 'vartabstop' value, allowing arbitrary code execution.

Vulnerability

A heap-based buffer overflow exists in the change_indent function of vim prior to version 8.2.4436. The flaw is triggered when the vartabstop option is set to a specially crafted value, causing an out-of-bounds write during indentation adjustment. The issue was introduced in earlier versions and is fixed in commit 4e889f98e95ac05d7c8bd3ee933ab4d47820fdfa [3].

Exploitation

An attacker can exploit this vulnerability by providing a malicious file or command that sets vartabstop to a crafted value. No authentication or special privileges are required beyond the ability to open a file or execute a command in vim. The attacker must convince the victim to open the crafted file or execute the malicious command, after which the overflow occurs during normal indentation processing.

Impact

Successful exploitation leads to a heap-based buffer overflow, which can corrupt memory and potentially allow arbitrary code execution. The attacker could gain the same privileges as the user running vim, leading to full compromise of the user's session and data.

Mitigation

The vulnerability is fixed in vim version 8.2.4436, released on February 22, 2022 [3]. Users should upgrade to this version or later. Apple also addressed this CVE in macOS Ventura 13, released October 24, 2022 [1]. No workarounds are available; updating vim is the recommended mitigation.

References

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Vim/Vimllm-fuzzy2 versions
<8.2.4436+ 1 more
- (no CPE)range: <8.2.4436
- (no CPE)range: unspecified
osv-coords
pkg:rpm/opensuse/vim&distro=openSUSE%20Tumbleweed
Range: < 8.2.4456-1.1

Patches

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing bounds check in change_indent() allows out-of-bounds read when iterating past the end of a line with a crafted vartabstop value."

Attack vector

An attacker can trigger a heap-based buffer overflow by providing a crafted file or command that sets a weird `vartabstop` value (e.g., `set vartabstop=400`) and then performs indentation changes (e.g., via `norm i00 `) in a Latin-1 encoded buffer [ref_id=1]. The `change_indent()` function iterates over tab stops without checking whether the computed column offset has advanced past the end of the line, causing an out-of-bounds read [ref_id=1].

Affected code

The vulnerability is in the `change_indent()` function in Vim's source code. The patch adds a bounds check after incrementing `new_cursor_col` — if `ptr[new_cursor_col]` is NUL, the loop breaks [ref_id=1]. The test case `Test_vartabstop_latin1()` reproduces the crash with a weird `vartabstop` value [ref_id=1].

What the fix does

The patch adds a guard `if (ptr[new_cursor_col] == NUL) break;` inside the loop in `change_indent()` [ref_id=1]. This ensures that when the column offset reaches the end of the line (NUL terminator), the loop exits immediately instead of continuing to read past the buffer boundary. A corresponding test `Test_vartabstop_latin1()` was added to prevent regression [ref_id=1].

Preconditions

inputThe victim must open a crafted file or execute commands that set a weird 'vartabstop' value and trigger indentation changes
configThe buffer encoding must be set to a single-byte encoding such as latin1 (iso8859-1)

Reproduction

The test case in the patch reproduces the crash: set encoding to iso8859-1, run `silent norm :se `, set `vartabstop=400`, then execute `norm i00 ` in a new buffer [ref_id=1].

Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7ZLEHVP4LNAGER4ZDGUDS5V5YVQD6INF/mitrevendor-advisory
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HBUYQBZ6GWAWJRWP7AODJ4KHW5BCKDVP/mitrevendor-advisory
security.gentoo.org/glsa/202208-32mitrevendor-advisory
seclists.org/fulldisclosure/2022/Oct/28mitremailing-list
seclists.org/fulldisclosure/2022/Oct/41mitremailing-list
lists.debian.org/debian-lts-announce/2022/03/msg00018.htmlmitremailing-list
lists.debian.org/debian-lts-announce/2022/11/msg00009.htmlmitremailing-list
github.com/vim/vim/commit/4e889f98e95ac05d7c8bd3ee933ab4d47820fdfamitre
huntr.dev/bounties/db70e8db-f309-4f3c-986c-e69d2415c3b3mitre
support.apple.com/kb/HT213488mitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000