Heap-based Buffer Overflow occurs in vim in vim/vim
Description
A heap-based buffer overflow in Vim's spell-suggest feature when invoked in Visual mode, fixed in 8.2.4563.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A heap-based buffer overflow in Vim's spell-suggest feature when invoked in Visual mode, fixed in 8.2.4563.
Vulnerability
A heap-based buffer overflow exists in Vim in the spell suggestion functionality (spell_suggest). When the z= command is used in Visual mode, the code could read beyond the end of the current line, leading to a buffer overflow. This affects Vim versions prior to 8.2.4563 [2]. The vulnerability occurs because the length of the bad word (badlen) is not properly bounded by the remaining column count on the line after ending visual mode [2].
Exploitation
An attacker can trigger this vulnerability by providing a crafted file or text that, when opened in Vim, causes the user (or an automated editor script) to invoke the z= spelling suggestion command in Visual mode. The attacker must have a way to supply the crafted content to the victim; no additional special privileges are required beyond the ability to write the file or have it processed. The fix in the patch also includes a test case that demonstrates the crash by using a sequence of Visual mode operations and then z= [2].
Impact
Successful exploitation could lead to arbitrary code execution, as the heap-based buffer overflow may corrupt adjacent memory. The impact is disclosure in the Apple security advisory notes that processing a maliciously crafted image could lead to arbitrary code execution [1], and the Vim commit addresses a heap-buffer-overflow that could have security implications.
Mitigation
The vulnerability is fixed in Vim version 8.2.4563, released on March 14, 2022 [2]. Users should update their Vim installation to at least version 8.2.4563 or apply the corresponding patch. The fix was also included in macOS Ventura 13 (released October 24, 2022) as part of its security updates [1]. Fedora package announcements are referenced [3][4] but do not provide additional mitigation details.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
8- osv-coords6 versionspkg:rpm/almalinux/vim-commonpkg:rpm/almalinux/vim-enhancedpkg:rpm/almalinux/vim-filesystempkg:rpm/almalinux/vim-minimalpkg:rpm/almalinux/vim-X11pkg:rpm/opensuse/vim&distro=openSUSE%20Tumbleweed
< 2:8.2.2637-16.el9_0.2+ 5 more
- (no CPE)range: < 2:8.2.2637-16.el9_0.2
- (no CPE)range: < 2:8.2.2637-16.el9_0.2
- (no CPE)range: < 2:8.2.2637-16.el9_0.2
- (no CPE)range: < 2:8.2.2637-16.el9_0.2
- (no CPE)range: < 2:8.2.2637-16.el9_0.2
- (no CPE)range: < 9.0.0453-2.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing bounds check on Visual-mode selection length in spell_suggest() allows reading beyond the end of the line buffer."
Attack vector
An attacker can trigger a heap-based buffer overflow by crafting a file that, when opened in Vim, causes the user to enter Visual mode, select text that extends to or past the end of a line, and then invoke the "z=" spell-suggest command. The bug occurs because the original code did not check whether `badlen` (derived from the Visual selection) exceeded the actual line length, allowing the spell-suggest logic to read beyond the allocated buffer [ref_id=1]. The attack requires the victim to open a malicious file and perform specific editor actions (Visual selection + "z="), so it is a user-assisted, local attack vector.
Affected code
The vulnerability is in the `spell_suggest()` function in the Vim source tree, specifically in the Visual-mode code path that handles the "z=" command. The patch adds a bounds check after `end_visual_mode()` to ensure `badlen` does not exceed the remaining length of the current line, preventing a heap-buffer over-read.
What the fix does
The patch adds a bounds check after `end_visual_mode()` in `spell_suggest()`: it re-fetches the current line via `ml_get_curline()` and caps `badlen` to `STRLEN(line) - curwin->w_cursor.col` if it would otherwise exceed the remaining line length [ref_id=1]. This ensures the spell-suggest logic never reads past the NUL terminator at the end of the line, closing the heap-buffer over-read. The accompanying test `Test_spellsuggest_visual_end_of_line()` reproduces the scenario that previously caused the out-of-bounds read.
Preconditions
- inputVictim must open a crafted file in Vim
- inputVictim must enter Visual mode, select text at/near end of line, and run 'z='
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
10- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/C3R36VSLO4TRX72SWB6IDJOD24BQXPX2/mitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RAIQTUO35U5WO2NYMY47637EMCVDJRSL/mitrevendor-advisory
- security.gentoo.org/glsa/202208-32mitrevendor-advisory
- seclists.org/fulldisclosure/2022/Oct/28mitremailing-list
- seclists.org/fulldisclosure/2022/Oct/41mitremailing-list
- lists.debian.org/debian-lts-announce/2022/06/msg00014.htmlmitremailing-list
- lists.debian.org/debian-lts-announce/2022/11/msg00009.htmlmitremailing-list
- github.com/vim/vim/commit/5c68617d395f9d7b824f68475b24ce3e38d653a3mitre
- huntr.dev/bounties/9e4de32f-ad5f-4830-b3ae-9467b5ab90a1mitre
- support.apple.com/kb/HT213488mitre
News mentions
0No linked articles in our index yet.