VYPR
← All advisories
Unrated severityNVD Advisory· Published May 17, 2022· Updated Aug 3, 2024

Heap-based Buffer Overflow in vim/vim

CVE-2022-1733

Description

Heap-based buffer overflow in vim prior to 8.2.4968 allows arbitrary code execution via a crafted file.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Heap-based buffer overflow in vim prior to 8.2.4968 allows arbitrary code execution via a crafted file.

Vulnerability

A heap-based buffer overflow exists in vim versions prior to 8.2.4968. The vulnerability can be triggered when processing specially crafted input, leading to memory corruption.

Exploitation

An attacker can exploit this vulnerability by convincing a user to open a malicious file with vim. No authentication is required, and the attack can be performed remotely if the user opens the file.

Impact

Successful exploitation could allow an attacker to execute arbitrary code in the context of the vim process, potentially leading to full system compromise.

Mitigation

The vulnerability is fixed in vim version 8.2.4968. Users should update to this version or later. No workarounds are known.

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

38

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing bounds check before accessing `p[i]` when `p[i - 1]` is NUL in `skip_string()` allows reading past the end of the line."

Attack vector

An attacker can craft a specially formatted file that, when opened and subjected to C-indentation processing, causes `skip_string()` to read past the end of the line. The bug occurs when the character before the current position is NUL (end-of-line), yet the code still checks `p[i] == '\''` without first verifying that `p[i - 1]` is valid [ref_id=1]. This out-of-bounds read can lead to a heap-based buffer overflow [CWE-122]. The test case added in the patch shows the trigger: a sequence like `'\0` followed by specific formatting causes the read past end-of-line [ref_id=1].

Affected code

The vulnerability is in the `skip_string()` function in Vim's source code, specifically in the logic that checks for a trailing single quote after processing a numeric escape sequence like `'\000'`. The patch modifies line 92 of the relevant file, adding a check for `p[i - 1] != NUL` before checking `p[i] == '\''` [ref_id=1].

What the fix does

The patch adds a guard condition `p[i - 1] != NUL` before the existing check for a trailing single quote. This ensures the code does not attempt to read `p[i]` when `p[i - 1]` is the end-of-line character (NUL), preventing the out-of-bounds read. The fix also includes a new test function `Test_cindent_check_funcdecl()` that reproduces the crash scenario to prevent regression [ref_id=1].

Preconditions

  • inputThe victim must open a crafted file in Vim with C-indentation enabled
  • authNo authentication or special privileges required beyond file access

Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

10

News mentions

0

No linked articles in our index yet.