VYPR
← All advisories
Unrated severityNVD Advisory· Published Apr 17, 2022· Updated Aug 3, 2024

global heap buffer overflow in skip_range in vim/vim

CVE-2022-1381

Description

A heap buffer overflow in Vim's skip_range function, prior to 8.2.4763, can lead to memory corruption and possible remote code execution.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A heap buffer overflow in Vim's skip_range function, prior to 8.2.4763, can lead to memory corruption and possible remote code execution.

Vulnerability

A global heap buffer overflow vulnerability exists in the skip_range function in Vim, affecting versions prior to 8.2.4763. The flaw is triggered during parsing of command modifiers in Ex mode when handling a special case where an empty command is changed to +. The code path leads to a mch_memmove operation that can write past the allocated buffer, as patched in commit f50808ed135ab973296bca515ae4029b321afe47 [2].

Exploitation

An attacker can exploit this vulnerability by crafting a malicious file or providing specially crafted input that triggers the vulnerable code path. The attack requires the victim to open the malicious file with Vim, leading to a heap buffer overflow. No additional authentication or special network position is needed beyond convincing the user to open the file [2].

Impact

Successful exploitation can cause a crash (denial of service), bypass protection mechanisms, modify memory, and potentially lead to remote code execution. The impact is severe, as it may allow an attacker to execute arbitrary code on the victim's system [1][2].

Mitigation

The vulnerability is fixed in Vim version 8.2.4763, released on April 17, 2022 [2]. Users should update to at least this version. Apple included the fix in macOS Ventura 13 (released October 24, 2022) for affected Mac models [1]. No workaround is available; upgrading is the only mitigation.

References
  1. About the security content of macOS Ventura 13 - Apple Support
  2. patch 8.2.4763: using invalid pointer with "V:" in Ex mode · vim/vim@f50808e

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

38

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing tracking of when eap->cmd is redirected to a static string, causing heap buffer overflow in mch_memmove operations."

Attack vector

An attacker can trigger this by entering Ex mode and issuing a command like `V:` (visual selection followed by colon) with an empty command. When the cursor is not on the last line, `parse_command_modifiers()` replaces the empty command with a pointer to the static string `"+"` [ref_id=1]. The subsequent `mch_memmove` operations then write past the bounds of the original heap buffer, because `eap->cmd` no longer points into it, causing a global heap buffer overflow [CWE-122].

Affected code

The bug is in `parse_command_modifiers()` in Vim's Ex-mode command parsing. The function modifies `eap->cmd` to point to a `"+"` string when the command is empty and the cursor is not on the last line [patch_id=f50808ed]. The heap buffer overflow occurs in the `mch_memmove` operations around line 3108-3110, which assume `eap->cmd` still points into the original allocated command buffer, but after the `"+"` substitution it may point to a static string instead.

What the fix does

The patch introduces a `did_plus_cmd` flag to track when `eap->cmd` was redirected to the static `"+"` string [patch_id=f50808ed]. When this flag is set, the code uses `orig_cmd` (saved before any modification) as the destination buffer and copies the command text into it with `STRLEN`/`STRCPY` instead of performing the unsafe `mch_memmove` arithmetic. This ensures all writes target the original heap-allocated buffer, preventing the out-of-bounds write.

Preconditions

  • inputAttacker must be able to enter Ex mode and supply a command starting with 'V:' (visual selection followed by colon)
  • inputCursor must not be on the last line of the buffer

Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

9

News mentions

0

No linked articles in our index yet.