VYPR
← All advisories
Unrated severityNVD Advisory· Published Jun 23, 2022· Updated Aug 3, 2024

Buffer Over-read in vim/vim

CVE-2022-2175

Description

A buffer over-read in Vim's command-line expression evaluation allows attackers to cause invalid memory access via crafted input.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A buffer over-read in Vim's command-line expression evaluation allows attackers to cause invalid memory access via crafted input.

Vulnerability

A buffer over-read vulnerability exists in the cmdline_insert_reg function of Vim when evaluating expressions on the command line. The issue occurs because the new_cmdpos variable is not properly saved and restored, leading to a negative insertion position and subsequent out-of-bounds read. This affects all versions of Vim prior to patch 8.2.5148 (i.e., before commit 6046ade). [1]

Exploitation

An attacker can trigger the vulnerability by providing a specially crafted command-line input that invokes expression evaluation (e.g., using \<C-\>e). The attacker does not require authentication if Vim is used in a scenario where untrusted files or commands are processed (e.g., opening a malicious file). The exploit requires user interaction, as the victim must execute the crafted input in Vim's command-line mode. [1]

Impact

Successful exploitation results in a buffer over-read, potentially causing a crash (denial of service) or exposure of sensitive memory contents. The vulnerability is classified as a buffer over-read, which can lead to information disclosure or application termination. [1]

Mitigation

The vulnerability is fixed in Vim version 8.2.5148 (commit 6046ade). Users should upgrade to the latest version of Vim. Gentoo recommends upgrading to app-editors/vim-9.0.0060 or later. [1][4] No workarounds are available.

References
  1. patch 8.2.5148: invalid memory access when using expression on comman… · vim/vim@6046ade
  2. Multiple Vulnerabilities (GLSA 202208-32) — Gentoo security

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

39

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing save/restore of new_cmdpos variable causes a negative cursor position, leading to a buffer over-read."

Attack vector

An attacker can trigger this vulnerability by crafting a command-line expression that uses the expression register (`<C-\>e`) combined with a numbered register (`<C-R>0`). When the expression evaluation sets `new_cmdpos` to -1 and the subsequent register insertion does not restore the original value, the negative position causes an out-of-bounds read on the command-line buffer [ref_id=1]. The test case in the patch shows the exact sequence: `?<C-\>e0<C-R>0<Esc>?<C-\>e0<CR>` [ref_id=1].

Affected code

The bug is in `cmdline_insert_reg()` in Vim's source code, specifically around the expression-evaluation branch where `new_cmdpos` is set to -1 without being restored afterward [ref_id=1]. The patch modifies lines 1206-1269 of that function.

What the fix does

The patch saves the original `new_cmdpos` value before the expression-evaluation block and restores it afterward [ref_id=1]. Previously, the code set `new_cmdpos = -1` during expression insertion (line 1230) but never reset it, leaving a negative cursor position that caused an invalid memory access when the command line was later redrawn. The fix also removes a stale comment that described saving the command line, which was no longer accurate [ref_id=1].

Preconditions

  • inputAttacker must supply a crafted command-line input that uses the expression register (<C-\>e) followed by a numbered register (0).
  • authAttacker must have the ability to enter command-line mode in Vim (e.g., via normal mode commands or a malicious file).

Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.