Heap-based Buffer Overflow in vim/vim
Description
A heap-based buffer overflow in Vim before 9.0.0220, triggered by a for loop over a NULL string, can lead to a crash or potential code execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A heap-based buffer overflow in Vim before 9.0.0220, triggered by a for loop over a NULL string, can lead to a crash or potential code execution.
Vulnerability
A heap-based buffer overflow exists in Vim versions prior to 9.0.0220 [1], [2]. The vulnerability is located in the \(mb_ptr2len\) function, which is used to determine the byte length of a character. The fix (commit \(f6d39c31d2177549a986d170e192d8351bd571e2\)) shows that the function previously returned a non-zero value for a NUL byte, causing invalid memory access when used in contexts such as a for loop over a NULL string [1]. This occurs because the length calculation for Latin and DBCS encodings did not properly handle a NUL character, leading to an out-of-bounds read or write on the heap.
Exploitation
An attacker could exploit this vulnerability by crafting a specially formatted file (e.g., a text file with a NULL string in a for loop) that, when opened in Vim, triggers the heap-based buffer overflow. The attack requires no special network position; the user must simply open the malicious file with Vim. The specific code path is reachable when Vim evaluates a for loop over a NULL string, which causes the \(mb_ptr2len\) function to read beyond the allocated heap buffer [1]. No authentication or additional privileges are needed beyond being a normal Vim user.
Impact
Successful exploitation of this heap-based buffer overflow can result in a crash (denial of service) or, potentially, arbitrary code execution in the context of the Vim process [3], [4]. The vulnerability could therefore allow an attacker to compromise the user's system, leading to information disclosure, data corruption, or remote code execution, depending on the attacker's ability to control the heap layout.
Mitigation
The vulnerability is fixed in Vim version 9.0.0220, released on 2022-08-17 [1]. Users should upgrade to at least this version or later (e.g., 9.0.1157 as recommended in the Gentoo GLSA [3]). There is no known workaround for affected versions; the only mitigation is to apply the patch or upgrade. The CVE is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
39- osv-coords37 versionspkg:rpm/opensuse/vim&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/vim&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/vim&distro=openSUSE%20Leap%20Micro%205.2pkg:rpm/opensuse/vim&distro=openSUSE%20Tumbleweedpkg:rpm/suse/vim&distro=SUSE%20Enterprise%20Storage%206pkg:rpm/suse/vim&distro=SUSE%20Enterprise%20Storage%207pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-ESPOSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-ESPOSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-ESPOSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Micro%205.1pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Micro%205.2pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP3pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP4pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP3pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP4pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCLpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-BCLpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-BCLpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-BCLpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2015-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2pkg:rpm/suse/vim&distro=SUSE%20Manager%20Proxy%204.1pkg:rpm/suse/vim&distro=SUSE%20Manager%20Retail%20Branch%20Server%204.1pkg:rpm/suse/vim&distro=SUSE%20Manager%20Server%204.1pkg:rpm/suse/vim&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/vim&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209
< 9.0.0313-150000.5.25.1+ 36 more
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0453-2.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0814-17.9.1
- (no CPE)range: < 9.0.0814-17.9.1
- (no CPE)range: < 9.0.0814-17.9.1
- (no CPE)range: < 9.0.0814-17.9.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0814-17.9.1
- (no CPE)range: < 9.0.0814-17.9.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0814-17.9.1
- (no CPE)range: < 9.0.0814-17.9.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing NUL check in `latin_ptr2len()` and `dbcs_ptr2len()` causes a heap-based buffer overflow when iterating over a NULL string."
Attack vector
An attacker can trigger a heap-based buffer overflow by crafting a Vim script that uses a `for` loop over a NULL string (e.g., `for c in test_null_string()`). When Vim iterates over the NULL string, the `mb_ptr2len` function pointer calls `latin_ptr2len()` or `dbcs_ptr2len()` on a NUL byte. Without the NUL check, these functions return a non-zero length for a NUL character, causing Vim to read past the end of the allocated buffer [ref_id=1].
Affected code
The vulnerability is in the `latin_ptr2len()` and `dbcs_ptr2len()` functions in `src/mbyte.c`. These functions are used via the `mb_ptr2len` function pointer to determine the byte length of a character. Prior to the patch, `latin_ptr2len()` returned `MB_BYTE2LEN(*p)` without checking for NUL, and `dbcs_ptr2len()` did not check for NUL before accessing `p[1]`.
What the fix does
The patch adds explicit NUL checks to `latin_ptr2len()` and `dbcs_ptr2len()` so they return zero when `*p` is NUL [ref_id=1]. The comment for `mb_ptr2len` is also updated to document that "NUL has length zero." A new test function `Test_for_over_null_string()` is added to verify the fix by iterating over a NULL string and asserting the count is zero [ref_id=1].
Preconditions
- inputThe attacker must be able to supply or execute a Vim script containing a for loop over a NULL string.
- configThe 'encoding' option must be set to a single-byte (e.g., latin1) or DBCS encoding where the vulnerable functions are used.
Reproduction
Set `&enc` to `iso8859-1` (or another latin encoding), then execute a `for` loop over `test_null_string()` as shown in the test: `for c in test_null_string() | let cnt += 1 | endfor`. The loop should trigger the invalid memory access [ref_id=1].
Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XWOJOA7PZZAMBI5GFTL6PWHXMWSDLUXL/mitrevendor-advisory
- security.gentoo.org/glsa/202305-16mitrevendor-advisory
- github.com/vim/vim/commit/f6d39c31d2177549a986d170e192d8351bd571e2mitre
- huntr.dev/bounties/389aeccd-deb9-49ae-9b6a-24c12d79b02emitre
News mentions
0No linked articles in our index yet.