VYPR
← All advisories
Unrated severityNVD Advisory· Published Jul 2, 2022· Updated Aug 3, 2024

Out-of-bounds Read in vim/vim

CVE-2022-2286

Description

Out-of-bounds read in Vim's completion code (prior to 9.0) could be triggered by crafted input, leading to potential information disclosure or crash.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Out-of-bounds read in Vim's completion code (prior to 9.0) could be triggered by crafted input, leading to potential information disclosure or crash.

Vulnerability

An out-of-bounds read vulnerability exists in the ins_compl_stop function in Vim's completion code. When a user presses Ctrl-E during completion, the function previously read past the end of the copied text without proper bounds checking. This affects Vim versions prior to 9.0. The fix was introduced in patch 9.0.0020 [1].

Exploitation

An attacker can exploit this by crafting a file or input that triggers the completion mechanism with specific characters. The test case Test_complete_overrun demonstrates the issue using a sequence of special characters. The attacker would need to convince a user to open the crafted file or type the malicious input in a Vim session where completion is invoked. No authentication or network access is required; local user interaction is sufficient.

Impact

Successful exploitation results in an out-of-bounds read, which could lead to the disclosure of sensitive memory contents or cause a denial of service (crash). The vulnerability does not directly allow code execution, but information leakage may aid further attacks.

Mitigation

The vulnerability is fixed in Vim 9.0 and later. Users should upgrade to Vim 9.0.0060 or higher as recommended by the Gentoo security advisory [4]. No workaround is available. The CVE is not listed in the CISA Known Exploited Vulnerabilities catalog.

References
  1. patch 9.0.0020: with some completion reading past end of string · vim/vim@f12129f
  2. Multiple Vulnerabilities (GLSA 202208-32) — Gentoo security

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

39

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing bounds check when computing the length of a completion string leads to an out-of-bounds read."

Attack vector

An attacker can trigger the out-of-bounds read by crafting a file or input that causes Vim's completion mechanism to call `get_compl_len()` on a string (`compl_leader` or `compl_orig_text`) and then read past its end via `ins_bytes()` [ref_id=1]. The payload in the test case (`sil norm si”0s0 `) shows that a sequence of special key codes during completion can produce a `compl_len` value larger than the actual string length, causing `ins_bytes(p + compl_len)` to read out of bounds [ref_id=1]. No authentication is required; the attacker only needs to convince a victim to open the crafted file in Vim.

Affected code

The vulnerable code is in `ins_compl_stop()` in Vim's source, where `ins_bytes(compl_leader + get_compl_len())` and `ins_bytes(compl_orig_text + get_compl_len())` are called without verifying that `get_compl_len()` does not exceed the actual string length [ref_id=1]. The patch modifies this function to add a length check before reading.

What the fix does

The patch [ref_id=1] replaces the direct call `ins_bytes(compl_leader + get_compl_len())` with a guarded block that first stores the string pointer in `p`, computes both `compl_len` and the actual string length `len = (int)STRLEN(p)`, and only calls `ins_bytes_len(p + compl_len, len - compl_len)` when `len > compl_len`. This ensures the read never goes past the end of the string. The same guard is applied to the `compl_orig_text` path.

Preconditions

  • inputVictim opens a crafted file in Vim that triggers the completion bug.

Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.