Use After Free in vim/vim
Description
Use-after-free in Vim's diff put (nv_diffgetput) can be triggered via crafted file, fixed in patch 9.0.0026.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Use-after-free in Vim's diff put (nv_diffgetput) can be triggered via crafted file, fixed in patch 9.0.0026.
Vulnerability
CVE-2022-2289 is a use-after-free vulnerability in Vim's ex_diffgetput function, which handles the :diffput and :diffget commands. The issue occurs when mark_adjust() is called and may reallocate memory, invalidating the dp pointer. This affects versions prior to Vim 9.0, specifically before patch 9.0.0026 [1]. The code path is reachable when a user performs diff operations on a crafted file.
Exploitation
An attacker needs to craft a file that triggers the diff commands, and convince a user to open the file and execute :diffput or :diffget. The attacker does not require authentication or special network position; exploitation relies on user interaction. The use-after-free occurs when mark_adjust() is called after adding lines, and the dp pointer becomes dangling due to reallocation [1].
Impact
Successful exploitation could lead to memory corruption, potentially allowing denial of service or arbitrary code execution in the context of Vim. The exact impact depends on the memory layout and attacker control.
Mitigation
The vulnerability is fixed in commit c5274dd (patch 9.0.0026) [1]. Gentoo recommends upgrading to Vim version 9.0.0060 or later [4]. Users should update their Vim installation to the latest version. No known workarounds are available.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Use-after-free: after `mark_adjust()` is called, the `dp` pointer may point to freed memory because the diff block list can be reallocated, but the code continues to dereference `dp` without checking its validity."
Attack vector
An attacker can trigger a use-after-free by crafting a buffer diff scenario where `:diffget` or `:diffput` is invoked, causing `mark_adjust()` to reallocate the diff block list. After `mark_adjust()` returns, the existing `dp` pointer may reference freed memory [ref_id=1]. The code then continues to access `dp->df_count[idx_to]` on the freed memory, leading to a crash or potentially exploitable memory corruption. The attack requires the victim to open a diff view and execute a diffget/diffput command on a crafted buffer.
Affected code
The vulnerable code is in `ex_diffgetput()` in Vim's diff mode implementation [ref_id=1]. After calling `mark_adjust()`, the function dereferences `dp->df_count[idx_to]` without first verifying that `dp` still points to a valid diff block in the current tab's diff list. The patch introduces a `valid_diff()` helper function that iterates `curtab->tp_first_diff` to check pointer validity.
What the fix does
The patch adds a `valid_diff()` function that walks the current tab's diff block list (`curtab->tp_first_diff`) to verify that `dp` is still a valid entry [ref_id=1]. After `mark_adjust()` is called (when `added != 0`), the code now checks `valid_diff(dp)` and breaks out of the loop if `dp` is no longer valid, preventing access to freed memory. The comment "mark_adjust() may have made 'dp' invalid" is also moved to the correct location — before the validity check — to document the fix [ref_id=1].
Preconditions
- configVictim must have a diff view open (e.g., vimdiff) with at least one diff block
- inputAttacker must be able to supply crafted buffer content that triggers reallocation of the diff block list during mark_adjust()
- inputThe :diffget or :diffput command must be executed on the crafted diff
Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/43Y3VJPOTTY3NTREDIFUPITM2POG4ZLP/mitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UXPO5EHDV6J4B27E65DOQGZFELUFPRSK/mitrevendor-advisory
- security.gentoo.org/glsa/202208-32mitrevendor-advisory
- security.gentoo.org/glsa/202305-16mitrevendor-advisory
- github.com/vim/vim/commit/c5274dd12224421f2430b30c53b881b9403d649emitre
- huntr.dev/bounties/7447d2ea-db5b-4883-adf4-1eaf7deace64mitre
News mentions
0No linked articles in our index yet.