VYPR
← All advisories
Unrated severityNVD Advisory· Published Jul 8, 2022· Updated Aug 3, 2024

Heap-based Buffer Overflow in vim/vim

CVE-2022-2344

Description

Heap-based buffer overflow in Vim's ins_compl_add() before 9.0.0045 allows denial of service via crafted completion.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Heap-based buffer overflow in Vim's ins_compl_add() before 9.0.0045 allows denial of service via crafted completion.

Vulnerability

A heap-based buffer overflow vulnerability exists in the ins_compl_add() function in Vim prior to version 9.0.0045. The bug occurs when processing completion matches: a missing length check allows reading past the end of allocated memory when comparing duplicate matches [1].

Exploitation

An attacker can trigger the vulnerability by causing Vim to perform completion with specially crafted input, such as opening a file containing specific characters that lead to a duplicate match comparison. The exploit requires no authentication but relies on user interaction (e.g., opening a malicious file) [1].

Impact

Successful exploitation results in a heap-based buffer overflow, potentially causing a denial of service (crash) or other undefined behavior due to memory corruption [1].

Mitigation

The vulnerability is fixed in Vim version 9.0.0045. Gentoo security advisories recommend upgrading to vim-9.0.0060 (GLSA 202208-32) or later [3], and subsequently to vim-9.0.1157 (GLSA 202305-16) [4]. No workarounds are available; users should update to the patched version.

References
  1. patch 9.0.0046: reading past end of completion with duplicate match · vim/vim@baefde1
  2. Multiple Vulnerabilities (GLSA 202208-32) — Gentoo security
  3. Multiple Vulnerabilities (GLSA 202305-16) — Gentoo security

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

39

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing bounds check before accessing `match->cp_str[len]` allows reading past the end of a heap-allocated string when `len` exceeds the string length."

Attack vector

An attacker can trigger a heap-based buffer overflow by crafting input that causes Vim's insert-mode completion mechanism to compare a completion string against a prefix length (`len`) that exceeds the allocated buffer of `match->cp_str`. The patch shows a test case using control characters and the `CTRL-P` / `CTRL-X` completion commands to reproduce the out-of-bounds read [ref_id=1]. The overflow occurs when `STRNCMP` matches but `match->cp_str[len]` reads past the end of the allocated heap memory.

Affected code

The vulnerability is in the `ins_compl_add()` function in Vim's source code. The flaw occurs in the duplicate-completion check loop where `match->cp_str[len] == NUL` is tested without first verifying that `len` is not longer than the actual string length of `match->cp_str` [ref_id=1].

What the fix does

The patch adds a length check before the out-of-bounds access: `((int)STRLEN(match->cp_str) <= len || match->cp_str[len] == NUL)`. This ensures that when `len` is greater than or equal to the actual string length, the condition short-circuits to `TRUE` (treating the match as a duplicate) without reading past the buffer. The fix also includes a regression test (`Test_ins_complete_add()`) that exercises the exact crash scenario [ref_id=1].

Preconditions

  • inputVim must be in insert mode with completion active (e.g., after typing CTRL-P or CTRL-X).
  • inputThe completion list must contain a duplicate match whose string is shorter than the comparison length.

Reproduction

The patch includes a Vimscript test case: open a new buffer, type `o` (insert mode, then Backspace), then `7o€€` (seven lines of the raw byte 0x80), then `sil! norm o` (insert CTRL-P, CTRL-X, CTRL-P, CTRL-X, CTRL-P). This sequence triggers the heap-buffer-overflow read in `ins_compl_add()` [ref_id=1].

Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.