Classic Buffer Overflow in vim/vim

Vulnerability

A classic buffer overflow exists in Vim versions prior to [8.2.4969] [2]. The flaw resides in the changed_common() and stop_insert() functions, where the Visual mode selection position (VIsual) is not properly validated after text changes [2]. When Visual mode is active and a modification occurs, the code can access memory outside the allocated buffer boundary, leading to a classic buffer overflow condition [2]. The issue is triggered specifically when VIsual_active is true and the visual selection coordinates become invalid after editing operations [2].

Exploitation

An attacker can exploit this vulnerability by convincing a user to open a specially crafted file in Vim or gVim with Visual mode enabled [2]. No authentication or network access is required beyond delivering the malicious file (e.g., via email attachment, web download, or repository) [2]. When the user performs an edit operation (such as deleting or replacing text) while Visual mode is active, the check_visual_pos() function was either missing or incomplete, causing the buffer overflow to occur [2]. The attacker does not need any prior access or special privileges on the target system.

Impact

Successful exploitation can lead to arbitrary code execution in the context of the Vim process [1]. On macOS Ventura 13, Apple's advisory notes that “processing a maliciously crafted image may lead to arbitrary code execution” [1], though the vulnerability is general to any editor session [2]. The attacker gains the same privileges as the user running Vim, which may allow full compromise of the user's files and system [1,2].

Mitigation

The fix was released in Vim version 8.2.4969 [2]. Users should upgrade to Vim 9.0.0060 or later as recommended by Gentoo [3], or to Vim 9.0.1157 per later advisories [4]. Apple included the fix in macOS Ventura 13 (released October 24, 2022) [1]. No workaround is available if upgrading is not possible [3,4].