VYPR
← All advisories
Unrated severityNVD Advisory· Published Jun 27, 2022· Updated Aug 3, 2024

NULL Pointer Dereference in vim/vim

CVE-2022-2208

Description

A NULL pointer dereference in vim's diff mode when deleting buffers could lead to a crash, fixed in version 8.2.5163.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A NULL pointer dereference in vim's diff mode when deleting buffers could lead to a crash, fixed in version 8.2.5163.

Vulnerability

The vulnerability is a NULL pointer dereference in the diff_buf_delete function within Vim's diff mode. When a buffer is deleted while diff mode is active, the code attempted to redraw diffs without verifying that the buffer is still valid, leading to a crash. This affects Vim versions prior to 8.2.5163 [1].

Exploitation

An attacker would need to be able to delete buffers while diff mode is enabled. This can be achieved through normal Vim commands or scripts, such as setting diff mode and then executing :bwipe on a buffer. No special privileges or network access are required; the attack is local and relies on user interaction or automated script execution [1].

Impact

Successful exploitation results in a denial of service (crash) due to the NULL pointer dereference. There is no indication of code execution or data compromise; the impact is limited to a crash of the Vim process [1].

Mitigation

The fix was released in Vim version 8.2.5163 on 2022-06-27. Users should upgrade to at least this version. The Gentoo security advisory (GLSA 202208-32) recommends upgrading to >=9.0.0060 [1][4]. No workaround is known.

References
  1. patch 8.2.5163: crash when deleting buffers in diff mode · vim/vim@cd38bb4
  2. Multiple Vulnerabilities (GLSA 202208-32) — Gentoo security

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

39

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing NULL/buffer-validity check in diff_redraw() when iterating windows after a buffer deletion in diff mode."

Attack vector

An attacker can trigger a NULL pointer dereference by causing Vim to delete a buffer while diff mode is active. The crash occurs in `diff_redraw()` when it iterates over windows and accesses `wp->w_buffer` for a window whose buffer has already been wiped or closed, without a validity check [ref_id=1]. The test case in the patch shows the crash can be reproduced by opening a diff layout, then using `%bwipe!` to wipe all buffers [ref_id=1].

Affected code

The vulnerability is in the `diff_buf_delete()` function in Vim's diff mode implementation. When a buffer is deleted while diff mode is active, the function sets `tp->tp_diffbuf[i] = NULL` and `tp->tp_diff_invalid = TRUE`, then calls `diff_redraw(TRUE)` which iterates over all windows and accesses `wp->w_buffer` without first checking whether that buffer pointer is still valid [ref_id=1].

What the fix does

The patch modifies `diff_redraw()` to add a `buf_valid(wp->w_buffer)` check before accessing the window's buffer, skipping invalid windows. It also changes `diff_buf_delete()` to defer the redraw by setting `need_diff_redraw = TRUE` and calling `redraw_later(VALID)` instead of calling `diff_redraw(TRUE)` immediately, because the buffer state is invalid at that point [ref_id=1].

Preconditions

  • configVim must be in diff mode with at least one buffer being deleted or wiped
  • inputAttacker must be able to trigger buffer deletion (e.g., via :bwipe or closing a window) while diff mode is active

Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.