Heap-based Buffer Overflow in vim/vim
Description
A heap-based buffer overflow in Vim before 9.0.0061 occurs when nested autocommands are triggered, allowing crash or code execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A heap-based buffer overflow in Vim before 9.0.0061 occurs when nested autocommands are triggered, allowing crash or code execution.
Vulnerability
A heap-based buffer overflow vulnerability exists in Vim versions prior to 9.0.0061. The bug originates in the handling of nested autocommands within apply_autocmds_group(). When autocommands are nested, cursor and topline validation was not performed correctly, leading to an out-of-bounds memory access on the heap [1]. This affects all Vim versions before the patch release [3].
Exploitation
An attacker can trigger the vulnerability by crafting a file or input that causes a nested autocommand sequence. Specifically, a malicious file can contain autocommands that, when processed, cause the editor to enter a nested autocommand loop (e.g., using ++nested). The cursor and topline are then improperly validated, leading to a heap-based buffer overflow [1]. No special authentication is required; user interaction (opening the crafted file or executing the commands) is sufficient.
Impact
Successful exploitation can lead to a crash of the Vim process (denial of service) or potentially arbitrary code execution in the context of the user running Vim. The compromise could allow an attacker to gain code execution if the overflow is carefully controlled. The vulnerability is heap-based, so memory corruption can be abused for more severe outcomes [4][3].
Mitigation
The vulnerability is fixed in Vim version 9.0.0061, released on 2022-07-25 [1]. Users should upgrade to Vim 9.0.0061 or later [3]. Gentoo recommends upgrading to at least version 9.0.1157 [3]. No workaround is available [3]. The CVE is not listed in CISA KEV.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
39- osv-coords37 versionspkg:rpm/opensuse/vim&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/vim&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/vim&distro=openSUSE%20Leap%20Micro%205.2pkg:rpm/opensuse/vim&distro=openSUSE%20Tumbleweedpkg:rpm/suse/vim&distro=SUSE%20Enterprise%20Storage%206pkg:rpm/suse/vim&distro=SUSE%20Enterprise%20Storage%207pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-ESPOSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-ESPOSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-ESPOSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Micro%205.1pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Micro%205.2pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP3pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP4pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP3pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP4pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCLpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-BCLpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-BCLpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-BCLpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2015-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2pkg:rpm/suse/vim&distro=SUSE%20Manager%20Proxy%204.1pkg:rpm/suse/vim&distro=SUSE%20Manager%20Retail%20Branch%20Server%204.1pkg:rpm/suse/vim&distro=SUSE%20Manager%20Server%204.1pkg:rpm/suse/vim&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/vim&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209
< 9.0.0313-150000.5.25.1+ 36 more
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0032-1.2
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0814-17.9.1
- (no CPE)range: < 9.0.0814-17.9.1
- (no CPE)range: < 9.0.0814-17.9.1
- (no CPE)range: < 9.0.0814-17.9.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0814-17.9.1
- (no CPE)range: < 9.0.0814-17.9.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0814-17.9.1
- (no CPE)range: < 9.0.0814-17.9.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing re-validation of cursor and topline in nested autocommands allows stale out-of-range line numbers, leading to heap-based buffer overflow."
Attack vector
An attacker can craft a buffer and trigger nested autocommands that cause the cursor line number (`w_cursor.lnum`) or topline (`w_topline`) to exceed the number of lines in the current buffer (`b_ml.ml_line_count`). When `check_lnums()` was called for the outer autocommand, it saved the corrected cursor/topline values, but a nested autocommand could further modify the buffer (e.g., closing a window) without re-validating the saved values. This leads to a heap-based buffer overflow when Vim later accesses memory using the stale, out-of-range line number [ref_id=1].
Affected code
The vulnerability is in the `check_lnums()` function in Vim's source code, specifically in the handling of nested autocommands. The patch modifies `apply_autocmds_group()` and introduces `check_lnums_nested()` to properly handle cursor and topline validation when autocommands are nested [ref_id=1].
What the fix does
The patch introduces `check_lnums_nested()` which, unlike `check_lnums()`, does NOT re-save the original cursor/topline values — it only corrects them if they exceed the buffer line count. This prevents the nested call from overwriting the saved original values that `reset_lnums()` relies on to restore state after the outer autocommand completes. The commit message explains: "Make sure cursor and topline are valid. The first time the current values are saved, restored by reset_lnums(). When nested only the values are corrected when needed" [ref_id=1].
Preconditions
- inputThe attacker must be able to supply a buffer that triggers nested autocommands (e.g., via ++nested autocmd or BufAdd events)
- configThe nested autocommand must modify the buffer such that the cursor or topline becomes invalid (e.g., closing a window or changing laststatus)
Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- security.gentoo.org/glsa/202305-16mitrevendor-advisory
- github.com/vim/vim/commit/5fa9f23a63651a8abdb074b4fc2ec9b1adc6b089mitre
- github.com/vim/vim/commit/b9e717367c395490149495cf375911b5d9de889emitre
- huntr.dev/bounties/3a2d83af-9542-4d93-8784-98b115135a22mitre
- huntr.dev/bounties/3a2d83af-9542-4d93-8784-98b115135a22/mitre
News mentions
0No linked articles in our index yet.