VYPR
← All advisories
Unrated severityNVD Advisory· Published May 19, 2022· Updated Aug 3, 2024

Use After Free in vim/vim

CVE-2022-1796

Description

Use-after-free in Vim's do_window function when searching for a defined word triggers freed memory access, fixed in 8.2.4979.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Use-after-free in Vim's do_window function when searching for a defined word triggers freed memory access, fixed in 8.2.4979.

Vulnerability

A use-after-free vulnerability exists in the do_window function of the Vim source code prior to version 8.2.4979 [1]. When Vim executes a command that triggers "#define" search (CTRL-W_#), the code in find_ident_under_cursor returns a pointer to a line buffer. If the original line is modified during subsequent operations, the pointer becomes invalid, and using it without copying leads to accessing freed memory [1]. This affects all Vim installations using the vulnerable versions.

Exploitation

An attacker requires the ability to open a specially crafted file in Vim and then cause the user to execute the "CTRL-W #" command (or another operation that invokes do_window with FIND_DEFINE) [1]. The attacker must also craft a file that triggers a line flush or modification after find_ident_under_cursor reads the identifier, such as through autocmds or specific buffer manipulations [1]. The provided test scenario uses setline to modify the buffer, sil norm o0 to add a line, and sil! norm CTRL-W # to trigger the search, which then accesses the freed pointer [1].

Impact

Successful exploitation allows an attacker to read or write freed heap memory by controlling the contents of the freed buffer [1]. The consequence can range from an application crash (denial of service) to potentially arbitrary code execution, depending on the heap state. The vulnerability has a CVSS score of 7.8 (High) and can compromise the confidentiality, integrity, and availability of the system [2][3].

Mitigation

Vim fixed this issue in patch 8.2.4979, released on 2022-05-19 [1]. Gentoo GLSA 202208-32 and 202305-16 recommend upgrading Vim to version 9.0.0060 or later (and subsequently 9.0.1157 for continued protection) [2][3]. Users should update their Vim installation to a patched version. There is no known workaround for unpatched versions [2][3].

References
  1. patch 8.2.4979: accessing freed memory when line is flushed · vim/vim@28d032c
  2. Multiple Vulnerabilities (GLSA 202208-32) — Gentoo security
  3. Multiple Vulnerabilities (GLSA 202305-16) — Gentoo security

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

38

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Use-after-free: `do_window()` passes a pointer into a line buffer to `find_pattern_in_path()` without copying it first, and the line can be freed before the pointer is used."

Attack vector

An attacker can trigger a use-after-free by crafting a buffer where a line is modified (flushed) while `do_window()` holds a pointer into it. The reproduction uses `setline()` to create specific content, then executes `CTRL-W_CTRL-D` (normal mode command ``) which invokes the vulnerable code path. When the line is freed and reallocated, the stale pointer `ptr` is dereferenced in `find_pattern_in_path()`, causing a use-after-free [ref_id=1].

Affected code

The vulnerability is in the `do_window()` function in Vim's source code. The function calls `find_ident_under_cursor()` which returns a pointer `ptr` into the current line, then passes that pointer directly to `find_pattern_in_path()`. If the line is changed (flushed) between these calls, the pointer becomes dangling.

What the fix does

The patch [ref_id=1] makes a copy of the string returned by `find_ident_under_cursor()` using `vim_strnsave()` before passing it to `find_pattern_in_path()`. This ensures the pointer remains valid even if the underlying line is freed. The copy is freed with `vim_free()` after `find_pattern_in_path()` returns. The patch also adds a test case `Test_define_search()` that reproduces the crash scenario.

Preconditions

  • inputThe attacker must be able to supply a buffer with specific line content (e.g., via setline()) that triggers a line flush during the CTRL-W_CTRL-D command.
  • authThe attacker must be able to execute normal mode commands in Vim (e.g., via silent norm).

Reproduction

The test case in the patch [ref_id=1] reproduces the issue: create a new buffer, set lines to `['first line', '', '#define something 0']`, enter `0` on a new line with `sil norm o0`, then execute `sil! norm ` (CTRL-W CTRL-D). This triggers the use-after-free.

Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.