VYPR
← All advisories
Unrated severityNVD Advisory· Published Jun 19, 2022· Updated Aug 3, 2024

Heap-based Buffer Overflow in vim/vim

CVE-2022-2125

Description

Heap-based buffer overflow in Vim before 8.2 allows arbitrary code execution via a crafted file.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Heap-based buffer overflow in Vim before 8.2 allows arbitrary code execution via a crafted file.

Vulnerability

CVE-2022-2125 is a heap-based buffer overflow vulnerability in the Vim text editor, affecting all versions prior to 8.2. The flaw resides in memory handling when processing specially crafted input, leading to a heap overflow.

Exploitation

An attacker can exploit this vulnerability by convincing a user to open a maliciously crafted file with Vim. No special privileges are required beyond the ability to open a file.

Impact

Successful exploitation could lead to arbitrary code execution in the context of the Vim process, potentially allowing an attacker to compromise the system.

Mitigation

The vulnerability is fixed in Vim version 8.2. Users should update to the latest version. No workarounds are available.

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

39

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing NUL-terminator check in the Lisp indentation loop allows heap-based buffer over-read."

Attack vector

An attacker can craft a file containing a line such as `'[` (a quote followed by an opening bracket) and trigger Lisp indentation by setting `lisp` and `autoindent` options, then performing an indentation operation (e.g., `v k =` in normal mode). The `get_lisp_indent()` function iterates through the line without checking for the NUL terminator, causing a heap-based buffer over-read when the line ends unexpectedly [ref_id=1].

Affected code

The vulnerability is in the `get_lisp_indent()` function in Vim's source code. The patch adds a bounds check (`if (*that == NUL) break;`) inside the loop that processes Lisp indentation, preventing the loop from reading past the end of a line when the line ends with a quote character.

What the fix does

The patch adds a single check `if (*that == NUL) break;` inside the loop in `get_lisp_indent()`. This ensures that when the loop encounters the end-of-line NUL character (e.g., after a quote that closes the line), it breaks out of the loop instead of continuing to read past the buffer boundary. The fix also includes a test case (`Test_lisp_indent_quoted`) that reproduces the crash scenario with the line `'[` [ref_id=1].

Preconditions

  • inputThe victim must open a file containing a crafted line (e.g., ending with a quote character followed by an opening bracket) in Vim
  • configThe 'lisp' and 'autoindent' options must be set (locally or globally)
  • inputThe attacker must induce the victim to perform an indentation operation (e.g., pressing 'v k =' in normal mode)

Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

13

News mentions

0

No linked articles in our index yet.