VYPR
← All advisories
Unrated severityNVD Advisory· Published Feb 23, 2022· Updated Aug 2, 2024

Use of Out-of-range Pointer Offset in vim/vim

CVE-2022-0729

Description

Use of out-of-range pointer offset in vim prior to 8.2.4440 could allow arbitrary code execution when opening a crafted file.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Use of out-of-range pointer offset in vim prior to 8.2.4440 could allow arbitrary code execution when opening a crafted file.

Vulnerability

Use of out-of-range pointer offset in vim prior to version 8.2.4440. The bug occurs when vim processes a specially crafted file, leading to an out-of-bounds memory access. Affected versions include all vim releases before 8.2.4440, as well as downstream distributions that include the vulnerable code.

Exploitation

An attacker can exploit this vulnerability by crafting a malicious file that, when opened with vim, triggers the out-of-range pointer offset. No authentication or special privileges are required, as the attack relies solely on persuading a user to open the file using vim.

Impact

Successful exploitation could result in memory corruption, potentially leading to arbitrary code execution in the context of the vim process or a denial of service condition [1][4].

Mitigation

The fix was released in vim 8.2.4440. Users should update to this version or later. For Gentoo Linux, the recommended update is to app-editors/vim-9.0.0060 [4]. Apple included a fix in macOS Ventura 13 [1]. No workarounds are known.

References
  1. About the security content of macOS Ventura 13 - Apple Support
  2. Multiple Vulnerabilities (GLSA 202208-32) — Gentoo security

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

3

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Use of out-of-range pointer offset in Vim's regexp engine when processing a crafted pattern and string, leading to a crash."

Attack vector

An attacker can trigger this vulnerability by providing a specially crafted regex pattern combined with a specific string to Vim's regexp engine (engine 1). The test case in the patch shows the crash is reproduced by setting `regexpengine=1`, opening a file with a crafted name (`\xeb\xdb\x99`), and executing `buf \&\zs*\zs*0` [ref_id=1]. This causes an out-of-range pointer offset during regex matching, resulting in a crash. No authentication or special privileges are required beyond the ability to supply input to Vim's regex processing.

Affected code

The vulnerability resides in Vim's regexp engine (engine 1, the NFA-based engine). The patch [ref_id=1] adds a regression test but does not show the specific source file or function fix; the crash occurs during regex matching when processing a pattern containing `\zs` with a crafted buffer name.

What the fix does

The patch [ref_id=1] adds a new test function `Test_match_too_complicated()` that reproduces the crash scenario, but the actual fix is not shown in the diff — the diff only adds the regression test. The advisory title indicates the fix addresses an "out-of-range pointer offset" issue. The remediation guidance is to upgrade to Vim version 8.2.4440 or later, which contains the complete fix for the underlying pointer arithmetic flaw in the regexp engine.

Preconditions

  • configVim must be configured with 'regexpengine=1' (the automatic engine selection is bypassed)
  • inputAttacker must supply a crafted regex pattern and a specially crafted input string to Vim's regex engine

Reproduction

1. Start Vim with `regexpengine=1` set. 2. Execute: `exe "vsplit \xeb\xdb\x99"` 3. Execute: `silent! buf \&\zs*\zs*0` 4. Vim will crash due to an out-of-range pointer offset in the regexp engine.

Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

10

News mentions

0

No linked articles in our index yet.