Out-of-bounds Write in vim/vim
Description
Out-of-bounds write in Vim's diff mode due to uninitialized variable in diff_mark_adjust_tp, leading to potential memory corruption.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Out-of-bounds write in Vim's diff mode due to uninitialized variable in diff_mark_adjust_tp, leading to potential memory corruption.
Vulnerability
The vulnerability is an out-of-bounds write in the diff_mark_adjust_tp function within Vim's source code, specifically in the handling of diff block adjustments when lines are deleted. The variable off was not always initialized before use, leading to an out-of-bounds write. This affects Vim versions prior to patch 8.2.5164 (commit c101abff4c6756db4f5e740fde289decb9452efa) [1]. The code path is reachable when using Vim's diff mode (e.g., vimdiff) and performing certain buffer manipulations that trigger the adjustment of diff marks.
Exploitation
An attacker would need to trick a user into opening a specially crafted file in Vim's diff mode or cause the user to perform specific buffer operations that trigger the vulnerable code path. No authentication is required beyond local access to Vim. The attacker must craft a file or sequence of edits that cause the diff algorithm to adjust marks in a way that the uninitialized off variable leads to an out-of-bounds write. The exact steps are not publicly detailed, but the commit test case (Test_diff_manipulations) shows a sequence of commands that reproduce the issue [1].
Impact
Successful exploitation could result in memory corruption, potentially leading to a denial of service (crash) or arbitrary code execution. The out-of-bounds write occurs in heap memory, and the impact depends on the memory layout. The vulnerability is classified as an out-of-bounds write, which can be leveraged for more severe attacks if combined with other techniques.
Mitigation
The fix was released in Vim patch 8.2.5164, available in the referenced commit [1]. Users should upgrade to Vim version 8.2.5164 or later. For distributions, the Gentoo GLSA [4] recommends upgrading to >=app-editors/vim-9.0.0060. No workaround is known; users should apply the patch as soon as possible.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
39- osv-coords37 versionspkg:rpm/opensuse/vim&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/vim&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/vim&distro=openSUSE%20Leap%20Micro%205.2pkg:rpm/opensuse/vim&distro=openSUSE%20Tumbleweedpkg:rpm/suse/vim&distro=SUSE%20Enterprise%20Storage%206pkg:rpm/suse/vim&distro=SUSE%20Enterprise%20Storage%207pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-ESPOSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-ESPOSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-ESPOSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Micro%205.1pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Micro%205.2pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP3pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP4pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP3pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP4pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCLpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-BCLpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-BCLpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-BCLpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2015-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2pkg:rpm/suse/vim&distro=SUSE%20Manager%20Proxy%204.1pkg:rpm/suse/vim&distro=SUSE%20Manager%20Retail%20Branch%20Server%204.1pkg:rpm/suse/vim&distro=SUSE%20Manager%20Server%204.1pkg:rpm/suse/vim&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/vim&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209
< 9.0.0313-150000.5.25.1+ 36 more
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0453-2.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0814-17.9.1
- (no CPE)range: < 9.0.0814-17.9.1
- (no CPE)range: < 9.0.0814-17.9.1
- (no CPE)range: < 9.0.0814-17.9.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0814-17.9.1
- (no CPE)range: < 9.0.0814-17.9.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0814-17.9.1
- (no CPE)range: < 9.0.0814-17.9.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing initialization of the offset variable `off` in `diff_mark_adjust_tp` leads to an out-of-bounds write when diff buffer manipulations occur."
Attack vector
An attacker can trigger this out-of-bounds write by crafting a sequence of diff buffer manipulations in Vim, such as splitting windows, setting the `diff` option, and performing undo/redo operations with specific key sequences [ref_id=1]. The vulnerability occurs in the `diff_mark_adjust_tp` function when deleted lines interact with diff blocks — the variable `off` is used uninitialized in certain code paths (cases 2, 3, 4, 5), leading to an invalid memory access [ref_id=1]. The test case in the patch demonstrates the attack vector: `set diff`, `split 0`, then a series of `norm` commands with `R`, `doo`, `bd`, `eu`, and window movements [ref_id=1].
Affected code
The vulnerable function is `diff_mark_adjust_tp` in Vim's diff.c, as shown in the patch at commit c101abff4c6756db4f5e740fde289decb9452efa [ref_id=1]. The bug involves the uninitialized use of the `off` variable in the diff block adjustment logic when handling inserted/deleted lines (cases 2, 3, 4, and 5) [ref_id=1].
What the fix does
The patch initializes `off = 0` at the top of the outer block (line 406) and moves the assignment `off = dp->df_lnum[idx] - lnum_deleted` to only execute in case 5 (line 429), where it is actually needed [ref_id=1]. Previously, `off` was set to 0 only in the `else` branch (case 2), leaving it uninitialized in cases 3 and 4, and the case-5 assignment was placed before the `if` check, causing it to execute in the wrong code path [ref_id=1]. The fix ensures `off` always has a defined value before use, preventing the out-of-bounds write.
Preconditions
- inputAttacker must supply a crafted sequence of diff buffer manipulations (e.g., via a malicious file or automated commands) that triggers the specific code path in diff_mark_adjust_tp.
- configVim must be in diff mode (`set diff`) with split windows.
Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GFD2A4YLBR7OIRHTL7CK6YNMEIQ264CN/mitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U743FMJGFQ35GBPCQ6OWMVZEJPDFVEWM/mitrevendor-advisory
- security.gentoo.org/glsa/202208-32mitrevendor-advisory
- security.gentoo.org/glsa/202305-16mitrevendor-advisory
- github.com/vim/vim/commit/c101abff4c6756db4f5e740fde289decb9452efamitre
- huntr.dev/bounties/020845f8-f047-4072-af0f-3726fe1aea25mitre
News mentions
0No linked articles in our index yet.