VYPR
← All advisories
Unrated severityNVD Advisory· Published Jun 30, 2022· Updated Aug 3, 2024

Out-of-bounds Read in vim/vim

CVE-2022-2257

Description

Out-of-bounds read in Vim's str2special function when processing menu items with only modifier, leading to potential information disclosure.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Out-of-bounds read in Vim's str2special function when processing menu items with only modifier, leading to potential information disclosure.

Vulnerability

The vulnerability is an out-of-bounds read in the str2special function in Vim prior to version 9.0. The issue occurs when processing a menu item that contains only a modifier (e.g., <T-2-^@>). The code incorrectly advances the pointer past the end of the string when encountering a NUL byte, leading to an out-of-bounds read. Affected versions: all Vim versions before 9.0. [1]

Exploitation

An attacker can trigger this vulnerability by crafting a menu item with a specific sequence (e.g., \x80\xfc0) that includes a NUL byte. The attacker needs to have the ability to define or load a menu with such content, which could be achieved through a malicious file or plugin. No authentication is required if the user opens a crafted file. The exploitation does not require user interaction beyond opening the file. [1]

Impact

Successful exploitation results in an out-of-bounds read, which could lead to information disclosure of adjacent memory contents. The vulnerability is classified as an out-of-bounds read, potentially causing a crash or leaking sensitive data. The CVSS score is not provided in the references, but the impact is limited to read operations. [1]

Mitigation

The vulnerability is fixed in Vim version 9.0 (patch 9.0.0009). Users should upgrade to Vim 9.0 or later. Gentoo recommends upgrading to >=9.0.0060. No workaround is available. [1][4]

References
  1. patch 9.0.0009: going past the end of a menu item with only modifier · vim/vim@083692d
  2. Multiple Vulnerabilities (GLSA 202208-32) — Gentoo security

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

39

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Unconditional pointer advancement past a NUL byte in str2special() causes an out-of-bounds read."

Attack vector

An attacker can craft a menu item containing a modifier-only key sequence (e.g., `\x80\xfc0`) that causes `str2special()` to read past the end of the string. When the menu is displayed (e.g., via `:tmenu`), the out-of-bounds read occurs, potentially leaking memory or causing a crash [ref_id=1]. The precondition is that the attacker can supply or influence menu definitions in a Vim session.

Affected code

The vulnerability is in the `str2special()` function in Vim's source code. The faulty line handles single-byte characters or illegal bytes: `*sp = str + 1;` — this unconditionally advances the pointer by one, even when `str` points to a NUL byte, causing an out-of-bounds read [ref_id=1].

What the fix does

The patch changes the pointer advancement from unconditional (`*sp = str + 1`) to conditional on whether the current byte is NUL: `*sp = str + (*str == NUL ? 0 : 1)` [ref_id=1]. This ensures that when `str` points to a NUL terminator, the pointer is not advanced past the end of the string, preventing the out-of-bounds read. A regression test (`Test_only_modifier`) was also added to verify the fix [ref_id=1].

Preconditions

  • inputAttacker must be able to supply or influence menu definitions (e.g., via a malicious .vimrc or file opened in Vim).
  • inputThe crafted menu item must contain a modifier-only key sequence that triggers the vulnerable code path in str2special().

Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.