VYPR
← All advisories
Unrated severityNVD Advisory· Published Jul 2, 2022· Updated Aug 3, 2024

Integer Overflow or Wraparound in vim/vim

CVE-2022-2285

Description

Integer overflow in Vim's terminal code handling prior to 9.0 allows out-of-bounds read via crafted escape sequences, potentially leading to information disclosure or crash.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Integer overflow in Vim's terminal code handling prior to 9.0 allows out-of-bounds read via crafted escape sequences, potentially leading to information disclosure or crash.

Vulnerability

Integer overflow in the check_termcode function in Vim's terminal handling code (prior to version 9.0) can cause an out-of-bounds read when processing specially crafted escape sequences. The issue occurs because the length calculation for the typahead buffer can wrap around, leading to an under-allocated buffer or incorrect bounds check. Affected versions are all Vim releases before 9.0. [3]

Exploitation

An attacker who can supply crafted terminal escape sequences to a Vim session (e.g., by tricking a user into opening a malicious file or connecting to a malicious terminal) can trigger the integer overflow. No authentication is required; the attack relies on user interaction (opening a file or receiving terminal output). The overflow leads to reading beyond the allocated buffer.

Impact

Successful exploitation could result in information disclosure (reading adjacent memory) or a denial of service (crash). The commit [3] addresses the issue by adding a null terminator and proper bounds checking. The Gentoo advisory [4] notes that the worst impact could be denial of service.

Mitigation

The vulnerability is fixed in Vim version 9.0.0018 and later. Users should upgrade to Vim 9.0.0060 or higher as recommended by Gentoo [4]. No workaround is available. The CVE is not listed in CISA's Known Exploited Vulnerabilities catalog as of this writing.

References
  1. patch 9.0.0018: going over the end of the typahead · vim/vim@27efc62
  2. Multiple Vulnerabilities (GLSA 202208-32) — Gentoo security

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

39

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing null-termination of the typeahead buffer in check_termcode() allows out-of-bounds read."

Attack vector

An attacker can send a crafted terminal escape sequence that causes `check_termcode()` to read past the end of the typeahead buffer. The missing null-terminator means subsequent string operations on the buffer can read out-of-bounds memory. This can be triggered by a user executing a sequence like `:set \x80\xfb0=0` in Normal mode, as shown in the test added by the patch [ref_id=1]. The bug is reachable when the terminal sends escape sequences that are not properly terminated.

Affected code

The vulnerability is in the `check_termcode()` function in Vim's source code. The patch adds a null-terminator (`tp[len] = NUL;`) after reading terminal escape sequences from the typeahead buffer, preventing an out-of-bounds read when the buffer is later processed as a string.

What the fix does

The patch adds `tp[len] = NUL;` in `check_termcode()` to null-terminate the typeahead buffer after processing the escape sequence [ref_id=1]. This ensures that any subsequent string operations on the buffer will not read beyond its allocated length. The fix also includes a regression test (`Test_using_past_typeahead`) that reproduces the out-of-bounds condition using crafted escape sequences.

Preconditions

  • inputThe user must execute a crafted Normal-mode command that triggers a terminal escape sequence (e.g., `:set \x80\xfb0=0`)
  • configThe terminal must be in a mode where escape sequences are processed (default terminal behavior)

Reproduction

The patch includes a test function `Test_using_past_typeahead` that reproduces the issue [ref_id=1]: 1. Map `:00` to nothing. 2. Execute `:set \x80\xfb0=0

Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

7

News mentions

0

No linked articles in our index yet.