Use After Free in vim/vim

Vulnerability

A use-after-free vulnerability exists in Vim prior to patch 8.2.5024, in the nv_brackets function within src/ex_docmd.c. When the ]d command is used to search for a definition, a pointer (ptr) to a line is passed to find_pattern_in_path without first making a copy. If the pattern search modifies the buffer (e.g., by triggering a line change), the pointer becomes stale and freed memory is accessed. Any Vim version before 8.2.5024 is affected [2].

Exploitation

An attacker needs to convince a user to open a specially crafted file in Vim that triggers the ]d command on a pattern that causes a buffer change during the search. No special authentication or network access is required; the user interaction of opening the file and issuing the command (or having it triggered automatically via a modeline or other script) is sufficient. The race condition is avoided by the fix, which creates a copy of the pointer before passing it [2].

Impact

Successful exploitation can lead to a use‑after‑free, which may cause memory corruption, a crash, or potentially arbitrary code execution in the context of the Vim process. The Apple advisory notes that processing a maliciously crafted image (in their specific context) could lead to arbitrary code execution [1]. However, for the Vim vulnerability itself, the primary impact is denial of service or code execution depending on how the freed memory is reused.

Mitigation

The vulnerability is fixed in Vim patch 8.2.5024 and later [2]. Users should update to Vim 8.2.5024 or newer. The Apple advisory for macOS Ventura 13 (released October 24, 2022) includes a fix for this CVE [1]. No working workaround is known for unpatched versions; disabling the ]d command or using a different editor may reduce risk. The CVE is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.