VYPR
← All advisories
Unrated severityNVD Advisory· Published May 26, 2022· Updated Aug 3, 2024

Heap-based Buffer Overflow in vim/vim

CVE-2022-1886

Description

A heap-based buffer overflow in Vim's do_put function prior to patch 8.2.5016 could lead to arbitrary code execution or denial of service.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A heap-based buffer overflow in Vim's do_put function prior to patch 8.2.5016 could lead to arbitrary code execution or denial of service.

Vulnerability

A heap-based buffer overflow vulnerability exists in the do_put function in Vim versions prior to patch 8.2.5016. The flaw occurs when accessing text before the start of a line during a put command, specifically when handling multi-byte characters or certain edge cases. This allows overwriting memory adjacent to allocated heap buffers. [1]

Exploitation

An attacker can trigger the vulnerability by crafting a malicious file or sequence of edit commands that cause a put operation to access memory before the start of a text line. The attacker does not require authentication but may need to convince a user or automated system to open the crafted file in Vim. The sequence involves using [P or similar put commands with empty registers or multi-byte text. [1]

Impact

Successful exploitation can lead to heap corruption, potentially resulting in denial of service or arbitrary code execution in the context of the Vim process. The vulnerability has a CVSS score of 7.3 (high severity) as per the provided CVE header. [1]

Mitigation

The vulnerability is fixed in Vim version 8.2.5016 and later. Users should upgrade to a patched version. Gentoo Linux recommends upgrading to >=app-editors/vim-9.0.0060 (per GLSA 202208-32) or >=app-editors/vim-9.0.1157 (per GLSA 202305-16). No workarounds are available. [1], [3], [4]

References
  1. patch 8.2.5016: access before start of text with a put command · vim/vim@2a585c8
  2. Multiple Vulnerabilities (GLSA 202208-32) — Gentoo security
  3. Multiple Vulnerabilities (GLSA 202305-16) — Gentoo security

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

3

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing length check before calling mb_head_off on a zero-length yank register buffer causes an out-of-bounds memory access."

Attack vector

An attacker can trigger a heap-based buffer overflow by crafting a sequence of Vim normal-mode commands that cause a put operation (`[P` or similar) to access memory before the start of a text line. The test case in the patch shows the attack sequence: `norm yy`, `norm [Pi00ggv)s0`, then `sil! norm [P` [ref_id=1]. When `len` (the length of the yank register content) is zero, the original code calls `mb_head_off` with a pointer offset that goes before the allocated buffer, causing an out-of-bounds read.

Affected code

The vulnerability is in the `do_put` function in Vim's source code, specifically in the logic that calculates `curbuf->b_op_end.col` when executing a put command. The patch modifies the block at line 2221-2226 of the original file, adding a length check before calling `mb_head_off` on the yank register content.

What the fix does

The patch adds a guard `if (len > 0)` before the `mb_head_off` call, ensuring the function is only called when the yank register content has non-zero length [ref_id=1]. This prevents the out-of-bounds access that occurs when `len` is zero, because `mb_head_off` would otherwise be called with a pointer offset that precedes the start of the allocated buffer. The patch also includes a new test function `Test_put_empty_register()` to verify the fix.

Preconditions

  • inputThe attacker must be able to supply crafted input to Vim that results in a put command being executed with an empty yank register.
  • authThe attacker must be able to execute normal-mode commands in Vim, typically by opening a crafted file or through a plugin that processes attacker-controlled text.

Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.