Out-of-bounds Write in vim/vim
Description
Out-of-bounds write in Vim's command-line window when using Ex mode with modifiers, fixed in version 9.0.0025.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Out-of-bounds write in Vim's command-line window when using Ex mode with modifiers, fixed in version 9.0.0025.
Vulnerability
Out-of-bounds write vulnerability in Vim's command-line window (cmdwin) when processing Ex mode commands with modifiers. The issue occurs in the parse_command_modifiers function where a STRCPY operation could write beyond allocated memory. Affected versions prior to 9.0.0025 (patch 9.0.0025) [1].
Exploitation
An attacker must trick a user into executing a crafted command in Ex mode within the command-line window, e.g., by using gQ to enter Ex mode and then a command with a modifier like :atopleft. The vulnerability is triggered when the command is processed, leading to an out-of-bounds write [1].
Impact
Successful exploitation could cause memory corruption, potentially leading to denial of service or arbitrary code execution. The vulnerability is classified as out-of-bounds write with high severity [4].
Mitigation
Fixed in Vim version 9.0.0025 (commit c6fdb15) [1]. Users should upgrade to Vim 9.0.0060 or later as recommended by Gentoo [4]. No known workarounds exist.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Out-of-bounds write in parse_command_modifiers when replacing an empty command's placeholder with a string longer than the allocated buffer."
Attack vector
An attacker can trigger an out-of-bounds write by crafting a command-line sequence in Ex mode that causes the `parse_command_modifiers` function to copy a string longer than the allocated buffer. The patch description notes this was "accessing memory after allocated text in Ex mode" [ref_id=1]. The attack requires the victim to execute a specially crafted command sequence (e.g., via `feedkeys` as shown in the test) that hits the empty-command-with-`"+"` code path, where the previous code wrote `"'
Affected code
The vulnerability is in the `parse_command_modifiers` function in Vim's source code. The faulty code handles a special case where an empty command uses `"+"` — it previously performed `STRCPY(orig_cmd + len, "'
What the fix does
The patch changes the string copied in the empty-command special case from `"'
Preconditions
- inputThe victim must execute a crafted command-line sequence in Ex mode that triggers the empty-command-with-'+' code path in parse_command_modifiers.
- inputThe command must be constructed so that the original command string is allocated with insufficient space to hold the replacement string.
Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/43Y3VJPOTTY3NTREDIFUPITM2POG4ZLP/mitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UXPO5EHDV6J4B27E65DOQGZFELUFPRSK/mitrevendor-advisory
- security.gentoo.org/glsa/202208-32mitrevendor-advisory
- security.gentoo.org/glsa/202305-16mitrevendor-advisory
- github.com/vim/vim/commit/c6fdb15d423df22e1776844811d082322475e48amitre
- huntr.dev/bounties/a71bdcb7-4e9b-4650-ab6a-fe8e3e9852admitre
News mentions
0No linked articles in our index yet.