VYPR
← All advisories
Unrated severityNVD Advisory· Published Jun 23, 2022· Updated Aug 3, 2024

Out-of-bounds Read in vim/vim

CVE-2022-2183

Description

Out-of-bounds read in Vim's lisp indentation function (get_lisp_indent) prior to patch 8.2.5151 could be triggered by a crafted file, leading to crash or information disclosure.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Out-of-bounds read in Vim's lisp indentation function (get_lisp_indent) prior to patch 8.2.5151 could be triggered by a crafted file, leading to crash or information disclosure.

Vulnerability

An out-of-bounds read vulnerability exists in the get_lisp_indent() function of Vim prior to patch 8.2.5151. The bug occurs when lisp indenting is enabled (set lisp) and the cursor is on a line ending with certain characters (e.g., a tab followed by a non-ASCII character like ü). The code increments a pointer (that) and an amount variable without first checking if the pointer points to the NUL terminator, causing a read beyond the end of the line. This affects all Vim versions before 8.2.5151.

Exploitation

An attacker can exploit this by crafting a malicious text file that triggers the vulnerable code path. The victim must open the file in Vim with lisp indenting enabled and then perform an indentation operation (e.g., pressing == in normal mode). No authentication or special network position is required; the attack is local and relies on user interaction.

Impact

Successful exploitation results in an out-of-bounds read, which may cause a crash (denial of service) or leak sensitive memory contents (information disclosure). The exact impact depends on the memory layout and the data read beyond the line buffer.

Mitigation

The vulnerability is fixed in Vim 8.2.5151, committed as 8eba2bd [1]. Users should upgrade to at least this version. Gentoo Linux recommends upgrading to Vim 9.0.0060 or later [4]. No workaround is available for unpatched versions.

References
  1. patch 8.2.5151: reading beyond the end of the line with lisp indenting · vim/vim@8eba2bd
  2. Multiple Vulnerabilities (GLSA 202208-32) — Gentoo security

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

39

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing NUL-terminator check before incrementing a pointer in get_lisp_indent() allows reading beyond the end of the line buffer."

Attack vector

An attacker can craft a malicious text file containing specific lisp-style content (e.g., a tab character followed by a Unicode character and an opening parenthesis) that triggers the out-of-bounds read when Vim attempts to indent the line in lisp mode. The user must open the file in Vim with `lisp` indentation enabled and then execute the `==` normal-mode command to re-indent the current line [ref_id=1]. This causes `get_lisp_indent()` to read memory beyond the end of the line buffer.

Affected code

The vulnerability is in the `get_lisp_indent()` function in Vim's source code. The patch shows that when processing lisp indentation, the code incremented `that` and `amount` without first checking whether `*that` was the NUL character, leading to a read beyond the end of the line [ref_id=1].

What the fix does

The patch adds a guard condition `if (*that != NUL)` before incrementing the `that` pointer and `amount` counter inside `get_lisp_indent()` [ref_id=1]. This ensures the code does not advance past the end of the line when no character is present, preventing the out-of-bounds read. The fix also includes a new test case (`Test_lisp_indent_works`) that reproduces the crash scenario to verify the correction [ref_id=1].

Preconditions

  • configVim must have 'lisp' indentation enabled (set lisp)
  • inputUser must open a crafted file and run the '==' normal-mode command to trigger re-indentation
  • inputThe file must contain a line ending with specific characters (e.g., tab, Unicode character, opening parenthesis) that cause the pointer to advance past NUL

Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.