VYPR
← All advisories
Unrated severityNVD Advisory· Published Apr 21, 2022· Updated Aug 3, 2024

Use of Out-of-range Pointer Offset in vim/vim

CVE-2022-1420

Description

Vim prior to 8.2.4774 has an out-of-range pointer offset vulnerability in lambda expression handling, potentially allowing arbitrary code execution.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Vim prior to 8.2.4774 has an out-of-range pointer offset vulnerability in lambda expression handling, potentially allowing arbitrary code execution.

Vulnerability

A use of out-of-range pointer offset vulnerability exists in the eval_lambda function of Vim, affecting versions prior to 8.2.4774. When a lambda expression uses a number as the function name, an improper pointer offset can be triggered. The flaw was addressed in commit 8b91e71 [2].

Exploitation

An attacker can exploit this vulnerability by crafting a Vim script or file containing a malicious lambda expression, such as 0->(3)(), that causes an out-of-bounds read or write. No special privileges are required; the user only needs to open the crafted file in Vim.

Impact

Successful exploitation could lead to a crash (denial of service) or, under specific memory conditions, arbitrary code execution. Apple's security advisory for macOS Ventura 13 lists this CVE with an impact of arbitrary code execution [1].

Mitigation

The vulnerability is fixed in Vim version 8.2.4774 [2]. Users should update to this version or later. Apple included the fix in macOS Ventura 13 [1]. No workaround is available; upgrading is advised.

References
  1. About the security content of macOS Ventura 13 - Apple Support
  2. patch 8.2.4774: crash when using a number for lambda name · vim/vim@8b91e71

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

43

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing type validation and incorrect pointer arithmetic in `eval_lambda` when parsing `->(expr)` with non-function types leads to use of an out-of-range pointer offset."

Attack vector

An attacker can craft a malicious input file or command that uses the `->(expr)` syntax with a non-string, non-function expression (e.g., a number, list, or dictionary) followed by `()`. When Vim evaluates this malformed lambda-like expression, the out-of-range pointer offset leads to a crash. The attack requires the victim to open or evaluate the crafted input in Vim [ref_id=1].

Affected code

The vulnerability is in the `eval_lambda` function in Vim's source code. The patch modifies the logic that handles `->(expr)` arrow-parens expressions, specifically the parsing of the closing parenthesis and the type check on the resulting expression value.

What the fix does

The patch (commit 8b91e71441069b1dde9ac9ff9d9a829b1b4aecca) fixes the issue by reordering the checks in `eval_lambda`. First, it verifies that a closing `)` is present, emitting `e_missing_closing_paren` if not. Then it checks that the expression result is a string, function, or partial type; otherwise it emits the new error `E1275: String or function required for ->(expr)`. Only after both checks pass does it increment the pointer past the `)`, preventing the out-of-range pointer offset that caused the crash [ref_id=1].

Preconditions

  • inputVictim must open or evaluate a crafted file/command containing a malformed ->(expr)() expression in Vim

Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

9

News mentions

0

No linked articles in our index yet.