Use after free in utf_ptr2char in vim/vim
Description
A use-after-free vulnerability in Vim's utf_ptr2char function, prior to 8.2.4646, allows a crafted file to crash or execute arbitrary code.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A use-after-free vulnerability in Vim's utf_ptr2char function, prior to 8.2.4646, allows a crafted file to crash or execute arbitrary code.
Vulnerability
A use-after-free vulnerability exists in the utf_ptr2char function of Vim versions prior to 8.2.4646. The flaw occurs when the regexp engine accesses a buffer line after it has been freed. The commit [1] shows a fix in regmatch() that saves the cursor column position before calling getmark_buf(), then re-fetches the line and adjusts the input pointer afterward, preventing use of freed memory. The vulnerable code path is reachable via the \%'m and \%#=1\%'m patterns in substitutions, as demonstrated in the test added with the patch [1].
Exploitation
An attacker can trigger the use-after-free by crafting a file or input containing a substitution pattern that uses markers, e.g., s/\%') (with the new engine) or s/\%#=1\%') (with the old engine). When Vim executes the substitution, the regex engine calls getmark_buf() which may free the underlying buffer line. Subsequent access to rex.line without re-fetching leads to use of freed memory. No authentication or special privileges are required; the victim only needs to open the crafted file or apply the substitution in Vim.
Impact
Successful exploitation could lead to a crash of the Vim editor or potential arbitrary code execution in the context of the Vim process. The impact is primarily denial of service, but the nature of use-after-free vulnerabilities can allow an attacker to control execution flow if they can influence the freed memory content.
Mitigation
The vulnerability is fixed in Vim version 8.2.4646 and later [1]. Users should upgrade Vim to at least 8.2.4646 or any subsequent version. Distributions such as Gentoo have provided updated packages (>=9.0.0060) as part of a broader security update [4]. No workaround is available [4].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
8- osv-coords6 versionspkg:rpm/almalinux/vim-commonpkg:rpm/almalinux/vim-enhancedpkg:rpm/almalinux/vim-filesystempkg:rpm/almalinux/vim-minimalpkg:rpm/almalinux/vim-X11pkg:rpm/opensuse/vim&distro=openSUSE%20Tumbleweed
< 2:8.0.1763-16.el8_5.13+ 5 more
- (no CPE)range: < 2:8.0.1763-16.el8_5.13
- (no CPE)range: < 2:8.0.1763-16.el8_5.13
- (no CPE)range: < 2:8.0.1763-16.el8_5.13
- (no CPE)range: < 2:8.0.1763-16.el8_5.13
- (no CPE)range: < 2:8.0.1763-16.el8_5.13
- (no CPE)range: < 9.0.0453-2.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Use-after-free: after `getmark_buf()` frees the buffer line, the regexp engine continues to use the stale `rex.line` pointer."
Attack vector
An attacker can trigger a use-after-free by crafting a pattern that uses the `\%'` mark atom (e.g., `s/\%')`) in a buffer where the mark's line has been freed. When `regmatch()` calls `getmark_buf()`, the underlying buffer line may be freed, but the code continues to use `rex.line` and `rex.input` pointers that now reference freed memory. This can lead to a crash or potentially arbitrary code execution.
Affected code
The vulnerability is in the `regmatch()` function in Vim's regexp engine. The patch shows that after calling `getmark_buf()`, the buffer line (`rex.line`) may have been freed, so the fix re-fetches the line via `reg_getline()` and recalculates `rex.input` using the saved column offset.
What the fix does
The patch saves the column offset (`col = rex.input - rex.line`) before calling `getmark_buf()`. After the call, if `REG_MULTI` is true, it re-fetches the line via `reg_getline(rex.lnum)` and restores `rex.input` as `rex.line + col`. This ensures that even if the original line was freed by `getmark_buf()`, the regexp engine continues to use a valid line pointer. The test case `Test_using_mark_position()` was also extended to cover both the new and old regexp engines.
Preconditions
- inputThe attacker must be able to supply a regex pattern containing the \%' mark atom to Vim
- configThe buffer must have a mark whose line can be freed during regex matching
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/C2CQXRLBIC4S7JQVEIN5QXKQPYWB5E3J/mitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RAIQTUO35U5WO2NYMY47637EMCVDJRSL/mitrevendor-advisory
- security.gentoo.org/glsa/202208-32mitrevendor-advisory
- security.gentoo.org/glsa/202305-16mitrevendor-advisory
- lists.debian.org/debian-lts-announce/2022/05/msg00022.htmlmitremailing-list
- lists.debian.org/debian-lts-announce/2022/11/msg00009.htmlmitremailing-list
- github.com/vim/vim/commit/b55986c52d4cd88a22d0b0b0e8a79547ba13e1d5mitre
- huntr.dev/bounties/7f0ec6bc-ea0e-45b0-8128-caac72d23425mitre
- www.oracle.com/security-alerts/cpujul2022.htmlmitre
News mentions
0No linked articles in our index yet.