VYPR
← All advisories
Unrated severityNVD Advisory· Published Jul 2, 2022· Updated Aug 3, 2024

Out-of-bounds Read in vim/vim

CVE-2022-2287

Description

Out-of-bounds read in Vim's spell word handling allows memory access violation via crafted input.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Out-of-bounds read in Vim's spell word handling allows memory access violation via crafted input.

Vulnerability

Out-of-bounds read in Vim's spell word addition code prior to version 9.0. The function store_word did not validate that the word contained only valid characters, allowing control bytes like 0x02 to be processed, leading to invalid memory access [1].

Exploitation

An attacker can trigger the vulnerability by opening a crafted file or executing a command that adds a spell word containing invalid bytes (e.g., a 0x02 byte). No special privileges are required; user interaction (e.g., opening a file or running a spell command) is sufficient [1].

Impact

Successful exploitation results in an out-of-bounds read, which can cause a crash (denial of service) or potentially leak sensitive memory. The vulnerability is classified as high severity [4].

Mitigation

Fixed in Vim version 9.0.0021 (commit 5e59ea5) [1]. Users should upgrade to Vim 9.0.0060 or later as recommended by Gentoo [4]. No workaround is available.

References
  1. patch 9.0.0021: invalid memory access when adding word to spell word … · vim/vim@5e59ea5
  2. Multiple Vulnerabilities (GLSA 202208-32) — Gentoo security

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

39

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing validation of word characters before adding them to the spell-checking tree allows control characters to cause an out-of-bounds read."

Attack vector

An attacker can craft a file containing a word with invalid bytes (such as a 0x02 control character) and trigger the spell-checking functionality (e.g., via `z=`) to cause an out-of-bounds read. The test case in the patch shows the attack: adding a word containing a 0x02 byte followed by a slash causes "havoc" due to the missing validation [ref_id=1]. No authentication is required; the attacker only needs to convince a victim to open the crafted file in Vim and invoke spell-checking.

Affected code

The vulnerability exists in the `store_word` and `spell_add_word` functions in Vim's spell-checking code. The patch introduces a new `valid_spell_word()` function that validates word characters before they are added to the internal word tree [ref_id=1].

What the fix does

The patch adds a `valid_spell_word()` function that performs two checks: it validates UTF-8 byte sequences (when `enc_utf8` is set) and rejects words containing control characters (bytes below 0x20) or a trailing slash. The existing calls to `utf_valid_string()` in `store_word` and `spell_add_word` are replaced with calls to this new comprehensive validator, preventing invalid words from being stored in the spell-checking tree [ref_id=1].

Preconditions

  • inputVictim must open a crafted file in Vim and trigger spell-checking (e.g., via the `z=` command)
  • configVim must have spell-checking enabled or the attacker's file must trigger spell-checking automatically

Reproduction

The test function `Test_spell_good_word_invalid()` in the patch demonstrates reproduction: open a new buffer, insert a word containing a 0x02 byte and a trailing slash, then run `z=` to trigger spell-checking. This causes an invalid memory access [ref_id=1].

Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.