VYPR
← All advisories
Unrated severityNVD Advisory· Published Jul 2, 2022· Updated Aug 3, 2024

Heap-based Buffer Overflow in vim/vim

CVE-2022-2284

Description

A heap buffer overflow in Vim's Visual mode area adjustment when hiding windows allows potential memory corruption or crash in versions prior to 9.0.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A heap buffer overflow in Vim's Visual mode area adjustment when hiding windows allows potential memory corruption or crash in versions prior to 9.0.

Vulnerability

A heap-based buffer overflow exists in Vim's handling of Visual mode when the Visual area ends after the end of a line and the :hide command is used, leading to a memory access beyond the allocated buffer. The issue is present in Vim versions prior to 9.0, specifically when win_close() is called without resetting the Visual selection, causing a read beyond the line's memory. [1]

Exploitation

An attacker would need to convince a user to open a specially crafted file in Vim and perform a sequence of operations that trigger the Visual area adjustment after :hide. The attacker does not require network access; the exploit is triggered via local file editing. The specific steps involve setting a Visual selection that extends beyond the end of a line, then hiding a window, which triggers the vulnerable code path. [1]

Impact

Successful exploitation could cause a heap-based buffer overflow, potentially leading to information disclosure (reading beyond line bounds) or a denial of service due to memory corruption. No remote code execution has been demonstrated, but the overflow could corrupt heap data. [1]

Mitigation

The vulnerability is fixed in Vim version 9.0.0017 and later. Users should upgrade to Vim 9.0 or apply the patch from the commit [1]. Gentoo users can upgrade to >=app-editors/vim-9.0.0060 (or gvim and vim-core equivalents) as per GLSA 202208-32 [4]. There is no known workaround other than upgrading.

References
  1. patch 9.0.0017: accessing memory beyond the end of the line · vim/vim@3d51ce1
  2. Multiple Vulnerabilities (GLSA 202208-32) — Gentoo security

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

39

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing reset of Visual mode before closing a window allows heap-buffer over-read/write when the Visual area extends beyond the end of the line."

Attack vector

An attacker can trigger a heap-based buffer overflow by crafting a Vim script or input that causes Visual mode to be active when a window is closed via `:hide`. The Visual area may end after the end of the line (as shown in the test `Test_visual_area_adjusted_when_hiding`), and when the window is closed without resetting Visual mode, subsequent operations (e.g., `norm! zW`) can read or write beyond the allocated line buffer. The attack requires the victim to open a file and execute the crafted sequence, which can be delivered through a malicious text file or Vim plugin.

Affected code

The vulnerability is in the Vim source file `win_close()` (around line 2594). The patch adds a call to `reset_VIsual_and_resel()` before closing a window when the buffer being closed is not the current buffer (`wp->w_buffer != curbuf`). No other function or file is identified as the root cause.

What the fix does

The patch adds a call to `reset_VIsual_and_resel()` in `win_close()` before applying autocommands when the closing window's buffer differs from the current buffer. This ensures Visual mode is properly terminated before the window is hidden, preventing subsequent operations from accessing memory beyond the end of the line. The included test (`Test_visual_area_adjusted_when_hiding`) reproduces the scenario where a Visual area ends after the end of the line and verifies the fix.

Preconditions

  • inputVictim must open a file in Vim and execute a crafted sequence (e.g., via a malicious text file or plugin) that triggers Visual mode followed by :hide.
  • inputThe Visual area must end after the end of the line (e.g., using blockwise Visual mode with $ to extend past the line end).

Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.