VYPR
← All advisories
Unrated severityNVD Advisory· Published Jul 5, 2022· Updated Nov 3, 2025

Stack-based Buffer Overflow in vim/vim

CVE-2022-2304

Description

Stack-based buffer overflow in Vim's spell dumping code prior to 9.0 allows potential code execution via crafted input.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Stack-based buffer overflow in Vim's spell dumping code prior to 9.0 allows potential code execution via crafted input.

Vulnerability

A stack-based buffer overflow exists in the spell_dump_compl function of Vim versions prior to 9.0. The flaw occurs when dumping spell completion suggestions; if a word exceeds MAXWLEN, the array index depth is not properly bounded, leading to out-of-bounds write [1].

Exploitation

An attacker can trigger the overflow by crafting a spell file with an extremely long word or by manipulating the completion process to cause Vim to process such a word. No authentication is required if the victim opens the malicious file or triggers spell completion via user interaction.

Impact

Successful exploitation results in a stack-based buffer overflow, which could lead to denial of service or, potentially, remote code execution depending on the system and compiler protections.

Mitigation

The issue is fixed in Vim 9.0 (patch 9.0.0035) and later. Users should upgrade to Vim 9.0.0060 or higher as recommended by Gentoo [4]. No workaround is available.

References
  1. patch 9.0.0035: spell dump may go beyond end of an array · vim/vim@54e5fed
  2. Multiple Vulnerabilities (GLSA 202208-32) — Gentoo security

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

39

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

7

News mentions

0

No linked articles in our index yet.