VYPR
← All advisories
Unrated severityNVD Advisory· Published Jul 8, 2022· Updated Aug 3, 2024

Heap-based Buffer Overflow in vim/vim

CVE-2022-2343

Description

A heap-based buffer overflow in Vim's ins_compl_infercase_gettext function could lead to arbitrary code execution prior to version 9.0.0044.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A heap-based buffer overflow in Vim's `ins_compl_infercase_gettext` function could lead to arbitrary code execution prior to version 9.0.0044.

Vulnerability

A heap-based buffer overflow exists in the ins_compl_infercase_gettext function in insexpand.c, used during insert mode completion. The flaw occurs when a long line triggers incorrect length calculations, leading to a heap buffer overflow. All Vim versions prior to 9.0.0044 are affected [1].

Exploitation

An attacker can exploit this by providing a specially crafted file that, when opened in Vim and completion is triggered (e.g., via Ctrl-P), causes a heap overflow. No user authentication is required beyond opening the file, but user interaction is needed to trigger completion.

Impact

Successful exploitation may result in arbitrary code execution with the privileges of the Vim process, potentially allowing an attacker to compromise the system. No public exploit code is known.

Mitigation

The vulnerability is fixed in Vim version 9.0.0044 [1]. Users should upgrade to at least this version. Gentoo Linux advisories recommend upgrading to >=9.0.0060 [3] and later to >=9.0.1157 [4]. No workarounds are available.

References
  1. patch 9.0.0045: reading past end of completion with a long line · vim/vim@caea664
  2. Multiple Vulnerabilities (GLSA 202208-32) — Gentoo security
  3. Multiple Vulnerabilities (GLSA 202305-16) — Gentoo security

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

39

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing bounds check when converting wide-character completion text back to multi-byte output in a fixed-size buffer."

Attack vector

An attacker can trigger a heap-based buffer overflow by providing a long completion line with multi-byte characters during Vim's insert-mode completion. When `ins_compl_infercase_gettext` converts the wide-character array back to multi-byte output, it writes into the fixed `IObuff` buffer without proper bounds checking, overflowing adjacent heap memory. The attacker must be able to supply text that Vim will attempt to complete (e.g., via a crafted file or input).

Affected code

The vulnerability is in the `ins_compl_infercase_gettext` function in `src/insexpand.c`. The function writes completed text into a fixed-size `IObuff` buffer without checking the output length when multi-byte characters are expanded, leading to a heap-based buffer overflow.

What the fix does

The patch replaces the fixed `IObuff` buffer with a dynamically-grown `garray_T` (`gap`). When the output would exceed `IOSIZE` minus a safety margin, the code switches to the growarray, preventing overflow. The function now also returns allocated memory via a `tofree` parameter, and the caller (`ins_compl_add_infercase`) frees it. This ensures that arbitrarily long completed text can be safely stored without overflowing the stack or heap buffer.

Preconditions

  • configVim must be in insert mode with 'infercase' option enabled (b_p_inf) and 'ignorecase' (p_ic) set.
  • inputThe attacker must supply or cause Vim to generate a completion candidate whose multi-byte representation exceeds the fixed IObuff size.

Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.