VYPR
← All advisories
Unrated severityNVD Advisory· Published May 29, 2022· Updated Aug 3, 2024

Buffer Over-read in vim/vim

CVE-2022-1927

Description

A buffer over-read in Vim's parse_cmd_address function, fixed in version 8.2, could be triggered by a crafted address range.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A buffer over-read in Vim's `parse_cmd_address` function, fixed in version 8.2, could be triggered by a crafted address range.

Vulnerability

A buffer over-read vulnerability exists in Vim, prior to version 8.2, specifically in the parse_cmd_address function. The issue occurs when processing malformed address ranges, such as through the ; separator, potentially reading beyond allocated memory. The problem was addressed in commit 4d97a565ae8be0d4debba04ebd2ac3e75a0c8010, which introduced a need_check_cursor flag and changed early return FAIL statements to goto theend to ensure proper cleanup [2].

Exploitation

An attacker can exploit this vulnerability by providing a crafted file containing a specially crafted address range command (e.g., using 0; range). When the file is opened or processed in Vim, the vulnerable code path in parse_cmd_address can be reached without requiring authentication or special privileges. The attacker only needs to convince a user to open the malicious file using Vim [2].

Impact

Successful exploitation could lead to arbitrary code execution or denial of service due to memory corruption. The vulnerability can be triggered remotely without authentication, potentially compromising the confidentiality, integrity, and availability of the system [1].

Mitigation

Vim patched this vulnerability in version 8.2, released with commit 4d97a565ae8be0d4debba04ebd2ac3e75a0c8010 [2]. Users should upgrade to Vim 8.2 or later. This issue is also addressed in Apple macOS Ventura 13 [1]. No other workarounds have been documented.

References
  1. About the security content of macOS Ventura 13 - Apple Support
  2. patch 8.2.5037: cursor position may be invalid after "0;" range · vim/vim@4d97a56

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

43

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing cursor position validation after a failed address parse in "0;" range allows a buffer over-read."

Attack vector

An attacker can supply a crafted command-line address range using the "0;" separator (e.g., `0;/PATTERN/`). When `get_address()` returns an error (eap->cmd becomes NULL), the original code immediately returned FAIL without calling `check_cursor()`. This leaves `curwin->w_cursor` pointing to an invalid line number, which later triggers a buffer over-read when Vim attempts to read or display the buffer contents at that cursor position [ref_id=1]. The attack requires the victim to execute a malicious command or open a file that triggers such an address range.

Affected code

The vulnerable code is in the `parse_cmd_address()` function in Vim's source. The function handles comma- and semicolon-separated address ranges. When `get_address()` returns an error (eap->cmd becomes NULL), the original code returned FAIL without calling `check_cursor()`, leaving the cursor at an invalid position [ref_id=1].

What the fix does

The patch replaces early `return FAIL` statements with `goto theend;` and introduces a `need_check_cursor` flag [ref_id=1]. At the new `theend:` label, if `need_check_cursor` is TRUE, `check_cursor()` is called to validate and correct the cursor position before returning. This ensures that even when address parsing fails, the cursor is never left on an illegal line, preventing the buffer over-read.

Preconditions

  • inputVictim must execute a Vim command or open a file that triggers a '0;' address range with an invalid pattern.

Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

10

News mentions

0

No linked articles in our index yet.