VYPR
← All advisories
Unrated severityNVD Advisory· Published May 12, 2022· Updated Aug 3, 2024

NULL Pointer Dereference in function vim_regexec_string at regexp.c:2733 in vim/vim

CVE-2022-1674

Description

NULL pointer dereference in vim's regexp.c allows denial of service via crafted input, fixed in vim 8.2.4938.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

NULL pointer dereference in vim's regexp.c allows denial of service via crafted input, fixed in vim 8.2.4938.

Vulnerability

A NULL pointer dereference vulnerability exists in the vim_regexec_string function at regexp.c:2733 in Vim versions prior to 8.2.4938. The bug occurs when processing a crafted input that triggers a NULL pointer access, leading to a crash.

Exploitation

An attacker can exploit this vulnerability by providing a specially crafted input to Vim. No authentication or special privileges are required; the attacker only needs to convince a user to open the malicious file or paste the crafted text into Vim.

Impact

Successful exploitation results in a denial of service (application crash) due to the NULL pointer dereference. The crash disrupts the user's editing session but does not allow arbitrary code execution or data exfiltration.

Mitigation

The vulnerability is fixed in Vim version 8.2.4938, released on May 11, 2022. Users should update to this version or later. No workarounds are available; users must apply the patch.

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

3

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing NULL pointer check on `rmp->regprog` before calling `fname_match()` in `buflist_match()` allows a NULL pointer dereference when processing an invalid regex pattern."

Attack vector

An attacker can trigger a denial of service by providing a crafted invalid pattern to the `:buf` command (e.g., `buf [0--]\&\zs*\zs*e`). When Vim attempts to match this pattern against buffer file names via `buflist_match()`, the regex program pointer (`rmp->regprog`) is NULL, causing a NULL pointer dereference crash in `vim_regexec_string()` [ref_id=1]. The attack requires the ability to supply a malformed pattern to the `:buf` command.

Affected code

The vulnerability is in the `buflist_match()` function in Vim's source code. The crash occurs when `fname_match()` is called with a `rmp->regprog` pointer that is NULL, leading to a NULL pointer dereference in `vim_regexec_string()` at `regexp.c:2733`.

What the fix does

The patch adds a NULL check for `rmp->regprog` before calling `fname_match()` with the long file name. The fix changes the condition from `if (match == NULL)` to `if (match == NULL && rmp->regprog != NULL)` at the relevant line in `buflist_match()`, preventing the NULL pointer dereference [ref_id=1]. The patch also adds a test case that exercises the invalid pattern to verify the fix.

Preconditions

  • inputAttacker must be able to supply a crafted invalid pattern to the :buf command in Vim

Reproduction

The patch includes a test case that reproduces the crash: open a split window (`vsplit 00000000000000000000000000`), then run `silent! buf [0--]\&\zs*\zs*e` [ref_id=1].

Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

10

News mentions

0

No linked articles in our index yet.