Heap-based Buffer Overflow in vim/vim

Vulnerability

A heap-based buffer overflow exists in the ins_comp_get_next_word_or_line function within Vim's insert-mode completion logic. The vulnerability affects all versions of Vim prior to patch 9.0.0101. When insert-mode completion is triggered on a line that ends with a crafted sequence, the code can read past the end of the input line without proper bounds checking. The condition requires the user to open a specially crafted file and invoke insert completion (e.g., Ctrl+X Ctrl+L or Ctrl+X Ctrl+F) on the affected line [1][2].

Exploitation

An attacker must convince a victim to open a malicious file in Vim and then perform insert-mode completion on a specifically crafted line. The proof-of-concept test in the commit shows the following sequence: norm 8o\x80\xfd\xa0 creates a line with special characters, followed by sil! norm o\x10\x18\x10\x18\x10 to trigger completion. No authentication or network access is required; the attack is local and relies on user interaction. The vulnerability arises because compl_length is used as an offset into tmp_ptr without verifying it does not exceed the string length [1][2].

Impact

Successful exploitation allows an attacker to read heap memory beyond the bounds of the allocated buffer, potentially leaking sensitive information. In some cases, the out-of-bounds read could lead to a crash (denial of service). While the vulnerability is classified as a heap-based buffer overflow, the primary observed impact is information disclosure rather than arbitrary code execution [1][2].

Mitigation

The vulnerability is fixed in Vim version 9.0.0101, released on 2022-08-01 as part of the official patch. Users should upgrade to Vim 9.0.0101 or later. No workaround is documented, and there is no evidence of inclusion in the CISA Known Exploited Vulnerabilities (KEV) catalog [1][2].