VYPR
← All advisories
Unrated severityNVD Advisory· Published May 8, 2022· Updated Aug 3, 2024

NULL Pointer Dereference in function vim_regexec_string at regexp.c:2729 in vim/vim

CVE-2022-1620

Description

A null pointer dereference in vim's regexp.c:2729 causes a denial of service via crafted input; fixed in v8.2.4901.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A null pointer dereference in vim's regexp.c:2729 causes a denial of service via crafted input; fixed in v8.2.4901.

Vulnerability

A NULL pointer dereference exists in the vim_regexec_string function at regexp.c:2729 in Vim prior to version 8.2.4901. The flaw occurs when an invalid regular expression pattern is processed, leading to a null pointer access. The commit 8e4b76d introduces a guard (else if (rmp->regprog != NULL)) in fname_match to prevent the dereference [2]. Affected versions include all Vim releases before the 8.2.4901 patch [2].

Exploitation

An attacker can trigger the vulnerability by supplying a crafted input, such as a specially malformed buffer name pattern (e.g., buf [0--]\&\zs*\zs*e), which causes Vim to attempt matching with a null regprog pointer. The attacker needs only the ability to execute a Vim command or open a crafted file that invokes the vulnerable code path; no authentication or special privileges are required [2].

Impact

Successful exploitation results in a denial of service: Vim crashes due to the null pointer dereference. The impact is limited to application termination; there is no evidence of code execution or data corruption beyond the crash. Apple's advisory notes a separate memory consumption issue, but the CVE-2022-1620 vulnerability is confined to a crash [1].

Mitigation

The vulnerability is patched in Vim version 8.2.4901, released on 2022-05-08 [2]. Users should update to at least this version. The fix is included in upstream Vim and downstream distributions, including the Apple macOS Ventura 13 security update [1]. No workarounds are documented; however, avoiding the processing of untrusted patterns may reduce risk. No KEV listing is known.

References
  1. About the security content of macOS Ventura 13 - Apple Support
  2. patch 8.2.4901: NULL pointer access when using invalid pattern · vim/vim@8e4b76d

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

38

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing NULL check on regex program pointer after failed pattern compilation leads to NULL pointer dereference."

Attack vector

An attacker can trigger a NULL pointer dereference by providing a crafted invalid regex pattern to the `:buf` command (e.g., `buf [0--]\&\zs*\zs*e`). The pattern causes `vim_regexec` to fail and set `rmp->regprog` to NULL, but the `else` branch in `fname_match` proceeds to use the NULL pointer, crashing Vim. No authentication or special privileges are required — the attacker only needs to convince a user to execute the malicious command in Vim.

Affected code

The vulnerability is in the `fname_match` function, which calls `vim_regexec` with a compiled regex program pointer (`rmp->regprog`). When the regex pattern is invalid, `vim_regexec` can leave `rmp->regprog` as NULL, and the subsequent `else` branch dereferences it without a NULL check, leading to a crash at `regexp.c:2729` in `vim_regexec_string`.

What the fix does

The patch adds a NULL check `else if (rmp->regprog != NULL)` before entering the branch that dereferences `rmp->regprog` [ref_id=1]. This prevents the NULL pointer access when `vim_regexec` fails due to an invalid pattern. The patch also adds a test case (`Test_buf_pattern_invalid`) that exercises the crash scenario with the pattern `[0--]\&\zs*\zs*e` to ensure the fix works.

Preconditions

  • inputUser must execute a crafted :buf command with an invalid regex pattern in Vim

Reproduction

1. Open Vim (version prior to 8.2.4901). 2. Run `:vsplit 0000000` to create a buffer. 3. Run `:silent! buf [0--]\&\zs*\zs*e` to trigger the NULL pointer dereference. 4. Vim will crash with a segmentation fault.

Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

10

News mentions

0

No linked articles in our index yet.