Use After Free in vim/vim
Description
A use-after-free vulnerability in vim's spell checking before 8.2 could allow arbitrary code execution via a crafted file.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A use-after-free vulnerability in vim's spell checking before 8.2 could allow arbitrary code execution via a crafted file.
Vulnerability
A use-after-free vulnerability exists in vim's spell checking functionality in versions prior to 8.2. The bug resides in the spell_move_to() function, where an uninitialized variable and freed memory can be accessed under certain conditions. The issue was fixed in commit [4], which initializes the attr variable and adds a check for an empty line before copying data to avoid using an invalid pointer.
Exploitation
An attacker can exploit this vulnerability by crafting a malicious file that triggers the vulnerable code path when spell checking is performed. The user must open the file in vim and have spell checking enabled. No special network position or authentication is required beyond local file access.
Impact
Successful exploitation could allow the attacker to execute arbitrary code in the context of the vim process. This could lead to unauthorized access or control of the user's system, depending on the privileges of the vim session.
Mitigation
The vulnerability is fixed in vim version 8.2, specifically patch 8.2.5072 [4]. Users should update to vim 8.2 or later. No workaround is available; upgrading is recommended.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Use-after-free in spell_move_to() where a line pointer obtained from ml_get_buf() is used after a subsequent ml_get_buf() call invalidates it."
Attack vector
An attacker can trigger a use-after-free by crafting a buffer that causes Vim's spell-checking logic to call `ml_get_buf()` while iterating over lines. As noted in the patch comment at [ref_id=1], "this ml_get_buf() may make 'line' invalid." After that call, the code continues to use the now-stale `line` pointer (e.g., at the original `*skipwhite(line) == NUL` check), reading freed memory. The attacker needs to supply a text file with specific line lengths and spell-checking conditions that force the internal buffer reallocation during the `ml_get_buf()` call.
Affected code
The vulnerability is in the `spell_move_to()` function in Vim's spell-checking code. The patch modifies `src/spell.c` (referenced via the commit at [ref_id=1]), specifically around line 1275 where `hlf_T attr` is initialized to 0, and around lines 1308-1497 where an `empty_line` variable is introduced to capture the line state before a subsequent `ml_get_buf()` call may invalidate the `line` pointer.
What the fix does
The patch fixes the use-after-free by saving the result of `*skipwhite(line) == NUL` into a local `empty_line` variable *before* the `ml_get_buf()` call that can invalidate `line`. The later check `if (*skipwhite(line) == NUL)` is replaced with `if (empty_line)`, so the stale pointer is never dereferenced. Additionally, `hlf_T attr` is initialized to 0 to prevent use of an uninitialized value. No advisory or additional fix documentation beyond this commit is present in the bundle.
Preconditions
- configThe victim must open a crafted text file in Vim with spell-checking enabled (e.g., via 'set spell').
- inputThe crafted file must contain line sequences that trigger internal buffer reallocation during spell-check iteration.
Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
11- security.gentoo.org/glsa/202208-32mitrevendor-advisory
- security.gentoo.org/glsa/202305-16mitrevendor-advisory
- seclists.org/fulldisclosure/2022/Oct/28mitremailing-list
- seclists.org/fulldisclosure/2022/Oct/41mitremailing-list
- seclists.org/fulldisclosure/2022/Oct/43mitremailing-list
- seclists.org/fulldisclosure/2022/Oct/45mitremailing-list
- github.com/vim/vim/commit/2813f38e021c6e6581c0c88fcf107e41788bc835mitre
- huntr.dev/bounties/8628b4cd-4055-4059-aed4-64f7fdc10ebamitre
- support.apple.com/kb/HT213443mitre
- support.apple.com/kb/HT213444mitre
- support.apple.com/kb/HT213488mitre
News mentions
0No linked articles in our index yet.