VYPR
← All advisories
Unrated severityNVD Advisory· Published Aug 15, 2022· Updated Aug 3, 2024

Use After Free in vim/vim

CVE-2022-2817

Description

Use-after-free in Vim's assert_fails function allows memory corruption; fixed in 9.0.0213.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Use-after-free in Vim's assert_fails function allows memory corruption; fixed in 9.0.0213.

Vulnerability

A use-after-free vulnerability exists in the f_assert_fails function in Vim prior to version 9.0.0213. When assert_fails is called with a list argument containing two items, the function retrieves the error message from v:errmsg and then attempts pattern matching via pattern_match(). If the pattern match triggers an error, the memory pointed to by the saved string may be freed, leading to a use-after-free condition. This was fixed in commit 249e1b9, which adds a copy of the error message string to prevent premature freeing [1].

Exploitation

An attacker could craft a malicious Vimscript file that calls assert_fails with a specially crafted pattern. The pattern must cause an internal error during matching, which triggers the freeing of the error message string. The attacker would need to trick a user into opening the file with Vim. No special privileges are required beyond the ability to create a file that Vim processes.

Impact

Successful exploitation could lead to memory corruption, potentially causing a crash or arbitrary code execution. The primary risk is denial of service, but under certain conditions, more severe impacts may be possible.

Mitigation

The vulnerability is patched in Vim version 9.0.0213. Users should upgrade to this version or later. The Gentoo security advisory GLSA 202305-16 recommends upgrading to >=9.0.1157 [3]. No workarounds are available.

References
  1. patch 9.0.0213: using freed memory with error in assert argument · vim/vim@249e1b9
  2. Multiple Vulnerabilities (GLSA 202305-16) — Gentoo security

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

39

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Use-after-free in f_assert_fails() where a pointer to VV_ERRMSG is used after pattern_match() may have freed it."

Attack vector

An attacker can trigger a use-after-free by crafting a Vim script that calls `assert_fails()` with arguments that cause `pattern_match()` to free the internal `VV_ERRMSG` string while `f_assert_fails` still holds a pointer to it. The specific test case added in the patch uses `assert_fails('c0', ['', '\1'])` to reproduce the issue [ref_id=1]. The freed memory is then accessed when the function continues to use the stale pointer, leading to undefined behavior.

Affected code

The vulnerability is in the `f_assert_fails` function in `src/eval.c`. The function retrieves the Vim error message via `get_vim_var_str(VV_ERRMSG)` and passes the resulting pointer to `pattern_match()`, which may free the memory that pointer references during error processing. The patch introduces a `tofree` variable and uses `vim_strsave()` to make a stable copy of the error message before calling `pattern_match()`, then frees the copy afterward.

What the fix does

The patch adds a `tofree` pointer and calls `vim_strsave()` to duplicate the string returned by `get_vim_var_str(VV_ERRMSG)` before passing it to `pattern_match()` [ref_id=1]. This ensures that even if `pattern_match()` frees the original `VV_ERRMSG` string, the copy remains valid. The copy is freed with `vim_free(tofree)` after use. The patch also adds a test case (`Test_assert_fail_fails`) that exercises the bug to prevent regression.

Preconditions

  • inputThe attacker must be able to supply or execute a Vim script that calls assert_fails() with crafted arguments.
  • configThe target must be running a version of Vim prior to 9.0.0213.

Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.