heap buffer overflow in get_one_sourceline in vim/vim
Description
A heap buffer overflow in Vim's get_one_sourceline() function, prior to 8.2.4647, can be triggered by a crafted source file, allowing denial of service or potential code execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A heap buffer overflow in Vim's `get_one_sourceline()` function, prior to 8.2.4647, can be triggered by a crafted source file, allowing denial of service or potential code execution.
Vulnerability
A heap buffer overflow vulnerability exists in the get_one_sourceline function in Vim prior to version 8.2.4647 [3]. The bug occurs when processing source lines: the code did not properly check for buffer growth before appending a NUL terminator, leading to writing past the allocated heap memory on long lines [3]. The affected versions are all Vim releases before the patch 8.2.4647 [3].
Exploitation
An attacker can exploit this by providing a crafted file with an unusually long line via the :source command or by opening a specially crafted file that triggers the vulnerable code path [3]. No special privileges are required beyond normal file access; the user must be tricked into sourcing or opening the malicious file [3].
Impact
Successful exploitation results in a heap buffer overflow, which can cause a denial of service (crash) or potentially allow arbitrary code execution in the context of the Vim process [3][4]. The vulnerability is classified as high severity [4].
Mitigation
The vulnerability is fixed in Vim version 8.2.4647 and later [3]. Users should update to at least that version. Distributions such as Fedora have released updated packages [1][2], and Gentoo recommends upgrading to >=app-editors/vim-9.0.0060 [4]. No workaround is available; applying the patch or upgrading is the only mitigation [4].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing bounds check before writing a NUL terminator past the end of a growarray buffer in get_one_sourceline."
Attack vector
An attacker can trigger this heap buffer overflow by providing a crafted buffer line that, when processed by the `:source` command, causes `ga_concat` to fill the growarray exactly to capacity. The subsequent write of the NUL terminator at `buf[ga.ga_len++]` then writes one byte past the allocated heap buffer [ref_id=1]. The test case in the patch demonstrates reproduction using a long line (300 characters of '0') sourced from a buffer [ref_id=1].
Affected code
The vulnerability is in the `get_one_sourceline` function in Vim's source code, specifically in the block that handles reading lines from a buffer source (`sp->buflines`). The code calls `ga_concat` to append a line to a `growarray`, then accesses `ga.ga_data` and writes a NUL terminator at `buf[ga.ga_len++]` without first ensuring the array has room for that extra byte [ref_id=1].
What the fix does
The patch adds a `ga_grow(&ga, 1)` call before writing the NUL terminator, ensuring the growarray has at least one extra byte of capacity. If `ga_grow` fails, the loop breaks safely. The NUL assignment is then moved to after the growth check, using `buf[ga.ga_len++] = NUL` on the re-validated data pointer [ref_id=1]. A regression test (`Test_source_buffer_long_line`) was also added to cover this case [ref_id=1].
Preconditions
- inputThe attacker must be able to supply or control a buffer line that is sourced via Vim's `:source` command.
- inputThe line must be long enough that `ga_concat` fills the growarray to its exact capacity, leaving no room for the trailing NUL.
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/C2CQXRLBIC4S7JQVEIN5QXKQPYWB5E3J/mitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RAIQTUO35U5WO2NYMY47637EMCVDJRSL/mitrevendor-advisory
- security.gentoo.org/glsa/202208-32mitrevendor-advisory
- security.gentoo.org/glsa/202305-16mitrevendor-advisory
- github.com/vim/vim/commit/2bdad6126778f907c0b98002bfebf0e611a3f5dbmitre
- huntr.dev/bounties/a6f3222d-2472-439d-8881-111138a5694cmitre
News mentions
0No linked articles in our index yet.