Heap-based Buffer Overflow in function cmdline_erase_chars in vim/vim
Description
A heap-based buffer overflow in Vim's cmdline_erase_chars prior to 8.2.4899 could allow remote code execution via a crafted command line.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A heap-based buffer overflow in Vim's cmdline_erase_chars prior to 8.2.4899 could allow remote code execution via a crafted command line.
Vulnerability
A heap-based buffer overflow exists in the cmdline_erase_chars function in Vim prior to version 8.2.4899 [2]. The flaw occurs when handling the `` key with latin1 encoding, where a missing bounds check allows out-of-bounds memory access [2]. Versions before the patch are affected, including older macOS Ventura distributions [1].
Exploitation
An attacker would need to convince a user to open a specially crafted file or type a sequence that includes a space followed by `` on the command line [2]. The vulnerability is triggered when the function fails to verify the buffer pointer remains within bounds, particularly with latin1 encoding [2]. Local access is required; no network vector is indicated.
Impact
Successful exploitation can cause a heap-based buffer overflow, leading to application crash, memory corruption, and potentially arbitrary code execution [1]. The impact depends on the specific heap layout, but the advisory classifies it as "critical" due to the possibility of remote execution [1][2].
Mitigation
Vim fixed the issue in version 8.2.4899, released on May 8, 2022 [2]. Users should update to this version or later. Apple included the fix in macOS Ventura 13, released October 24, 2022 [1]. No workaround is documented; an abundance of caution advises against opening untrusted files in affected versions.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
38- osv-coords36 versionspkg:rpm/opensuse/vim&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/vim&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/vim&distro=openSUSE%20Tumbleweedpkg:rpm/suse/vim&distro=SUSE%20Enterprise%20Storage%206pkg:rpm/suse/vim&distro=SUSE%20Enterprise%20Storage%207pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-ESPOSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-ESPOSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-ESPOSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Micro%205.1pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Micro%205.2pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP3pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP4pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP3pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP4pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCLpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-BCLpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-BCLpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-BCLpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2015-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2pkg:rpm/suse/vim&distro=SUSE%20Manager%20Proxy%204.1pkg:rpm/suse/vim&distro=SUSE%20Manager%20Retail%20Branch%20Server%204.1pkg:rpm/suse/vim&distro=SUSE%20Manager%20Server%204.1pkg:rpm/suse/vim&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/vim&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209
< 8.2.5038-150000.5.21.1+ 35 more
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 9.0.0453-2.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 9.0.0814-17.9.1
- (no CPE)range: < 9.0.0814-17.9.1
- (no CPE)range: < 9.0.0814-17.9.1
- (no CPE)range: < 9.0.0814-17.9.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 9.0.0814-17.9.1
- (no CPE)range: < 9.0.0814-17.9.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 9.0.0814-17.9.1
- (no CPE)range: < 9.0.0814-17.9.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing bounds check before decrementing the pointer `p` in `cmdline_erase_chars` allows it to go before the start of the command-line buffer when CTRL-W is pressed at position zero under latin1 encoding."
Attack vector
An attacker can trigger a heap-based buffer overflow by sending a crafted command-line sequence to Vim when the encoding is set to `latin1`. Specifically, pressing CTRL-W (word-delete) when the cursor is already at the start of the command line causes `p` to decrement below `ccline.cmdbuff`, writing before the allocated heap buffer. This can crash Vim, corrupt adjacent heap memory, and potentially lead to remote code execution. The precondition is that Vim is running with `latin1` encoding and the attacker can supply input that places the command-line cursor at position zero before issuing CTRL-W.
Affected code
The vulnerability is in the `cmdline_erase_chars` function in Vim's command-line editing code. The patch modifies the logic that handles CTRL-W (delete word backward) when the `latin1` encoding is active. The defect is in the while-loop that decrements `p` without first checking whether `p` already points to the start of `ccline.cmdbuff`.
What the fix does
The patch adds a guard `if (p > ccline.cmdbuff)` before the inner while-loop that decrements `p` in the word-delete path. This ensures that when `p` is already at the start of the command buffer, the loop body is skipped entirely, preventing `p` from being decremented below the buffer boundary. The fix also adds a regression test that feeds the sequence `: \
Preconditions
- configVim must be running with 'latin1' encoding active
- inputAttacker must be able to supply command-line input that places the cursor at position 0 before pressing CTRL-W
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
13- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A6BY5P7ERZS7KXSBCGFCOXLMLGWUUJIH/mitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HIP7KG7TVS5YF3QREAY2GOGUT3YUBZAI/mitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JUN33257RUM4RS2I4GZETKFSAXPETATG/mitrevendor-advisory
- security.gentoo.org/glsa/202208-32mitrevendor-advisory
- security.gentoo.org/glsa/202305-16mitrevendor-advisory
- seclists.org/fulldisclosure/2022/Oct/28mitremailing-list
- seclists.org/fulldisclosure/2022/Oct/41mitremailing-list
- lists.debian.org/debian-lts-announce/2022/05/msg00022.htmlmitremailing-list
- lists.debian.org/debian-lts-announce/2022/11/msg00032.htmlmitremailing-list
- github.com/vim/vim/commit/ef02f16609ff0a26ffc6e20263523424980898femitre
- huntr.dev/bounties/b3200483-624e-4c76-a070-e246f62a7450mitre
- security.netapp.com/advisory/ntap-20220930-0007/mitre
- support.apple.com/kb/HT213488mitre
News mentions
0No linked articles in our index yet.