VYPR
← All advisories
Unrated severityNVD Advisory· Published Aug 1, 2022· Updated Aug 3, 2024

Out-of-bounds Read in vim/vim

CVE-2022-2581

Description

Out-of-bounds read in Vim's regexp engine when pattern starts with an illegal byte, leading to potential information disclosure.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Out-of-bounds read in Vim's regexp engine when pattern starts with an illegal byte, leading to potential information disclosure.

Vulnerability

An out-of-bounds read vulnerability exists in Vim's cstrchr function in charset.c when processing a regex pattern that starts with an illegal byte (e.g., 0xff). The issue occurs because the code did not properly check for illegal byte sequences before performing a fold comparison, allowing access beyond the intended buffer. This affects all versions of Vim prior to 9.0.0104 [1][2].

Exploitation

An attacker can exploit this vulnerability by crafting a malicious regex pattern that begins with an illegal byte. The attacker does not require any special privileges, but user interaction is necessary—the victim must open a file or execute a command that triggers the vulnerable regex processing. The out-of-bounds read occurs during the pattern matching operation [1][2].

Impact

Successful exploitation results in an out-of-bounds read, which may leak sensitive memory contents. This could lead to information disclosure, potentially exposing data such as passwords, encryption keys, or other confidential information present in the process memory. No code execution or privilege escalation is indicated in the available references [1][2].

Mitigation

The vulnerability is fixed in Vim version 9.0.0104, released on 2022-08-01. Users should update to this version or later. The fix is implemented in commit f50940531dd57135fe60aa393ac9d3281f352d88 [1]. No workarounds are documented; updating is the recommended mitigation [2].

References
  1. patch 9.0.0105: illegal memory access when pattern starts with illega… · vim/vim@f509405
  2. The world’s first bug bounty platform for AI/ML

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

39

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing validation of illegal byte values in `cstrchr()` allows out-of-bounds memory access when processing UTF-8 patterns."

Attack vector

An attacker can trigger an out-of-bounds read by crafting a pattern that starts with an illegal byte (e.g., 0xff) and supplying it to Vim. When `cstrchr()` processes the pattern, it calls `utf_ptr2char(p)` on the illegal byte and then compares the folded result — but without first checking whether the byte is legal, the function may read past the intended memory boundary [ref_id=1]. The attack requires the victim to open a file or execute a command that causes Vim to process the malicious pattern.

Affected code

The vulnerability is in the `cstrchr()` function in Vim's source code. The patch modifies the condition at line 1644 of the file changed in commit `f50940531dd57135fe60aa393ac9d3281f352d88` [ref_id=1]. The fault lies in how the function handles illegal byte sequences when matching patterns in UTF-8 encoding.

What the fix does

The patch adds a local variable `uc` to hold the result of `utf_ptr2char(p)` and inserts a guard: `if ((uc

Preconditions

  • inputVictim must open a file or run a command that causes Vim to process a pattern containing an illegal byte (e.g., 0xff).
  • configVim must be compiled with UTF-8 encoding support (enc_utf8).

Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.