Buffer Over-read in vim/vim
Description
A buffer over-read flaw in Vim prior to 8.2.4974 could allow an attacker to cause a crash or leak memory via a crafted file.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A buffer over-read flaw in Vim prior to 8.2.4974 could allow an attacker to cause a crash or leak memory via a crafted file.
Vulnerability
A buffer over-read vulnerability exists in Vim (the vim command-line editor) prior to version 8.2.4974. The flaw resides in the core editor code and is triggered when opening a specially crafted file. No specific configuration beyond standard usage is required for the vulnerable code path to be reached.
Exploitation
An attacker must deliver a malicious file to the victim and convince them to open it with Vim. No authentication or special network position is required; local access suffices. Once the file is opened, the buffer over-read occurs during parsing, potentially exposing adjacent memory contents.
Impact
Successful exploitation may lead to a crash of the Vim process or unintended disclosure of memory contents, which could include sensitive data. The vulnerability is limited to a buffer over-read (not write), so arbitrary code execution is not directly implied.
Mitigation
The vulnerability is fixed in Vim version 8.2.4974 (and later). Users should update to this version or newer. Distributions shipping older Vim packages (e.g., Fedora, macOS) have received updates via their respective security channels [1]. If an immediate patch is not available, users should avoid opening untrusted files in Vim until the update is applied.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
10- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BFAZTAT5CZC2R6KYDYA2HBAVEDSIX6MW/mitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IUPOLEX5GXC733HL4EFYMHFU7NISJJZG/mitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QKIX5HYKWXWG6QBCPPTPQ53GNOFHSAIS/mitrevendor-advisory
- security.gentoo.org/glsa/202208-32mitrevendor-advisory
- security.gentoo.org/glsa/202305-16mitrevendor-advisory
- seclists.org/fulldisclosure/2022/Oct/28mitremailing-list
- seclists.org/fulldisclosure/2022/Oct/41mitremailing-list
- github.com/vim/vim/commit/4748c4bd64610cf943a431d215bb1aad51f8d0b4mitre
- huntr.dev/bounties/522076b2-96cb-4df6-a504-e6e2f64c171cmitre
- support.apple.com/kb/HT213488mitre
News mentions
0No linked articles in our index yet.