VYPR
← All advisories
Unrated severityNVD Advisory· Published Aug 15, 2022· Updated Aug 3, 2024

Out-of-bounds Read in vim/vim

CVE-2022-2816

Description

Out-of-bounds read in Vim's Vim9 script compiler when processing an empty :unlet statement, fixed in version 9.0.0212.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Out-of-bounds read in Vim's Vim9 script compiler when processing an empty :unlet statement, fixed in version 9.0.0212.

Vulnerability

An out-of-bounds read vulnerability exists in the check_vim9_unlet function in Vim's Vim9 script compiler. When a :unlet command is issued without an argument (i.e., an empty name), the function attempts to read from a null pointer, leading to an out-of-bounds read. This affects Vim versions prior to 9.0.0212. The issue was introduced in the Vim9 script compilation code and is triggered during the compilation phase of a Vim9 script containing an empty unlet statement [1].

Exploitation

An attacker can exploit this vulnerability by crafting a Vim9 script that includes an empty :unlet command and then having a victim open or execute that script in Vim. No special privileges or authentication are required; the attacker only needs to convince the victim to process the malicious script (e.g., via a file or pasted content). The out-of-bounds read occurs during compilation, before the script is executed [1].

Impact

Successful exploitation results in an out-of-bounds read, which may cause a crash (denial of service) or potentially leak sensitive memory contents. The vulnerability is classified as an out-of-bounds read, which could lead to information disclosure or further memory corruption depending on the memory layout [1].

Mitigation

The vulnerability is fixed in Vim version 9.0.0212, released on 2022-08-15. Users should upgrade to this version or later. The Gentoo security advisory (GLSA 202305-16) recommends upgrading to >=app-editors/vim-9.0.1157 for Gentoo users [3]. No workaround is available; updating Vim is the only mitigation.

References
  1. patch 9.0.0212: invalid memory access when compiling :unlet · vim/vim@dbdd16b
  2. Multiple Vulnerabilities (GLSA 202305-16) — Gentoo security

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

39

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing NUL check on the name argument in check_vim9_unlet allows out-of-bounds read when :unlet is used without a variable name."

Attack vector

An attacker can trigger an out-of-bounds read by providing a Vim script that uses the `:unlet` command without any variable name inside a Vim9 `:def` function. When the Vim9 compiler processes this malformed script, `check_vim9_unlet` receives an empty string pointer and attempts to read `name[1]` without first verifying that `name` is non-empty, causing an invalid memory access [ref_id=1].

Affected code

The vulnerability is in the `check_vim9_unlet` function in `src/vim9compile.c`. The patch adds a guard at the start of this function to check if the `name` pointer is `NUL` (empty) before proceeding with any further processing [ref_id=1].

What the fix does

The patch adds an early check at the beginning of `check_vim9_unlet` that tests `if (*name == NUL)`. When the name is empty, it calls `semsg(_(e_argument_required_for_str), "unlet")` and returns `FAIL`, preventing any out-of-bounds read. The test case is also updated to expect the error at line 1 instead of line 2, and a new test for `unlet` with no argument is added [ref_id=1].

Preconditions

  • inputThe attacker must supply a Vim script containing a Vim9 :def function with an argument-less :unlet command.
  • configThe victim must compile or execute this script in Vim prior to 9.0.0212.

Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.