VYPR
← All advisories
Unrated severityNVD Advisory· Published Jun 23, 2022· Updated Aug 3, 2024

Heap-based Buffer Overflow in vim/vim

CVE-2022-2182

Description

Heap-based buffer overflow in Vim prior to 8.2 via crafted command-line address.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Heap-based buffer overflow in Vim prior to 8.2 via crafted command-line address.

Vulnerability

A heap-based buffer overflow exists in the parse_cmd_address function in Vim prior to version 8.2. Processing a malicious command-line address like :0;'{ can cause a read past the end of the first line. The bug is fixed in patch 8.2.5150 [1].

Exploitation

An attacker can exploit this by providing a crafted command-line address that includes zero as a line number followed by a mark or pattern. Successful exploitation requires the user to execute the crafted command in Vim, which may occur via social engineering or if Vim is used to process untrusted files (e.g., via vim -c).

Impact

Exploitation results in a heap-based buffer over-read, potentially leading to information disclosure or denial of service. In the worst case, it may enable arbitrary code execution, though the commit indicates it was a read past the end of the first line.

Mitigation

The vulnerability is fixed in Vim version 8.2.5150 or later [1]. Users should upgrade to at least this version. The Gentoo GLSA [4] recommends upgrading to >=app-editors/vim-9.0.0060. No known workaround exists.

References
  1. patch 8.2.5150: read past the end of the first line with ":0;'{" · vim/vim@f7c7c3f
  2. Multiple Vulnerabilities (GLSA 202208-32) — Gentoo security

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

39

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing cursor column validation when address zero is used, allowing a heap-buffer over-read on an empty first line."

Attack vector

An attacker can trigger a heap-based buffer overflow by crafting a Vim command that uses address `0` followed by a mark movement, such as `0;'(`. When the first line of the buffer is empty, the cursor is left at line zero after address parsing, and the subsequent mark movement reads past the end of that empty line [ref_id=1]. The attacker needs to convince a victim to open a crafted file and execute the malicious command, or supply the command through a plugin or autocmd.

Affected code

The vulnerability is in the `parse_cmd_address` function in Vim's source code. The patch modifies the handling of address `0` in command-line parsing, specifically the block that checks cursor position after parsing an address. The test added in the patch (`Test_mark_from_line_zero`) shows the crash occurs when using the command `0;'(` on an empty first line.

What the fix does

The patch adds a call to `check_cursor_col()` in the branch where `eap->line2` is zero, which was previously only handled by `check_cursor()` when `line2 > 0`. The commit message explains that the fix prevents reading "past the end of the first line" when using address zero [ref_id=1]. This ensures the cursor column is validated even when the line number is zero, preventing the out-of-bounds read.

Preconditions

  • inputThe victim must open a file whose first line is empty
  • inputThe attacker must supply or trigger the command '0;''(' (or similar zero-address mark command)

Reproduction

The patch includes a test case that reproduces the issue: open a new buffer, insert 'xxxx' on a line, then execute `0;'(` which should fail with 'E20: mark not set' instead of crashing [ref_id=1].

Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.