Heap buffer overflow in vim_strncpy find_word in vim/vim
Description
Heap buffer overflow in vim_strncpy find_word in Vim before 8.2.4919 allows denial of service and possible remote code execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Heap buffer overflow in vim_strncpy find_word in Vim before 8.2.4919 allows denial of service and possible remote code execution.
Vulnerability
Heap buffer overflow in the vim_strncpy function used by find_word in Vim prior to version 8.2.4919. The bug occurs when processing specially crafted text with the :spellgood command, allowing invalid bytes to be added to the word tree. Affected versions: all Vim versions before 8.2.4919. [2]
Exploitation
An attacker can exploit this by providing a maliciously crafted file or text that triggers the :spellgood command with invalid UTF-8 bytes. No authentication is required if the victim opens the file. The attacker needs to convince the user to open the file or trigger the spell checking functionality. The vulnerability is reachable when spell checking is enabled. [2]
Impact
Successful exploitation can cause a heap buffer overflow, leading to a crash (denial of service), bypass of protection mechanisms, memory corruption, and potentially arbitrary code execution. The impact is high, with CVSS score likely high. [description]
Mitigation
Fixed in Vim version 8.2.4919, released on the commit date (2022-05-09). Users should upgrade to at least that version. Gentoo recommends upgrading to >=9.0.0060. [2][4] Apple included a fix in macOS Ventura 13. [1] No workaround is available. [4]
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
8- osv-coords6 versionspkg:rpm/almalinux/vim-commonpkg:rpm/almalinux/vim-enhancedpkg:rpm/almalinux/vim-filesystempkg:rpm/almalinux/vim-minimalpkg:rpm/almalinux/vim-X11pkg:rpm/opensuse/vim&distro=openSUSE%20Tumbleweed
< 2:8.2.2637-16.el9_0.2+ 5 more
- (no CPE)range: < 2:8.2.2637-16.el9_0.2
- (no CPE)range: < 2:8.2.2637-16.el9_0.2
- (no CPE)range: < 2:8.2.2637-16.el9_0.2
- (no CPE)range: < 2:8.2.2637-16.el9_0.2
- (no CPE)range: < 2:8.2.2637-16.el9_0.2
- (no CPE)range: < 9.0.0453-2.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing validation of UTF-8 string validity in `store_word` and `spell_add_word` allows illegal bytes to trigger a heap buffer overflow in `vim_strncpy`/`find_word`."
Attack vector
An attacker can trigger a heap buffer overflow by providing a specially crafted word containing invalid UTF-8 bytes to the `:spellgood` command. The patch's test shows the payload `0\xac` (a NUL byte followed by 0xac) passed to `spellgood!` triggers the error. No authentication is required if the attacker can supply input to Vim's spell-checking functionality [ref_id=1].
Affected code
The vulnerability resides in the `store_word` function and the `spell_add_word` function in Vim's spell-checking code. Both functions call `utf_valid_string()` to validate input before processing, but prior to the patch they lacked this check, allowing invalid UTF-8 bytes to reach the word tree via `vim_strncpy` and `find_word`.
What the fix does
The patch adds a call to `utf_valid_string()` at the beginning of both `store_word` and `spell_add_word` when `enc_utf8` is set. If the input word contains illegal UTF-8 bytes, the function returns `FAIL` (in `store_word`) or emits error `E1280` and returns early (in `spell_add_word`). This prevents invalid bytes from being copied into the word tree, avoiding the heap buffer overflow in `vim_strncpy`/`find_word` [ref_id=1].
Preconditions
- configVim must be compiled with the FEAT_SPELL feature enabled
- inputAttacker must be able to supply input to the :spellgood command (e.g., via a crafted file or direct command)
Reproduction
Run `spellgood! 0\xac` in Vim (the test uses `call assert_fails("spellgood! 0\u0002\xac", 'E1280:')`). Prior to the patch, this causes a heap buffer overflow in `vim_strncpy`/`find_word` [ref_id=1].
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
10- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HIP7KG7TVS5YF3QREAY2GOGUT3YUBZAI/mitrevendor-advisory
- security.gentoo.org/glsa/202208-32mitrevendor-advisory
- security.gentoo.org/glsa/202305-16mitrevendor-advisory
- seclists.org/fulldisclosure/2022/Oct/28mitremailing-list
- seclists.org/fulldisclosure/2022/Oct/41mitremailing-list
- lists.debian.org/debian-lts-announce/2022/05/msg00022.htmlmitremailing-list
- lists.debian.org/debian-lts-announce/2022/11/msg00032.htmlmitremailing-list
- github.com/vim/vim/commit/7c824682d2028432ee082703ef0ab399867a089bmitre
- huntr.dev/bounties/520ce714-bfd2-4646-9458-f52cd22bb2fbmitre
- support.apple.com/kb/HT213488mitre
News mentions
0No linked articles in our index yet.