VYPR
← All advisories
Unrated severityNVD Advisory· Published Aug 17, 2022· Updated Aug 3, 2024

Use After Free in vim/vim

CVE-2022-2862

Description

Use-after-free in Vim's compile_nested_function() can cause memory corruption; fixed in version 9.0.0221.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Use-after-free in Vim's compile_nested_function() can cause memory corruption; fixed in version 9.0.0221.

Vulnerability

A use-after-free vulnerability exists in Vim's compile_nested_function() function, affecting versions prior to 9.0.0221 [1]. When compiling nested functions, a local variable (lvar) is reserved and later used after the function reference may have been freed. The fix ensures the local variable pointer is set to NULL and invalidated after the function is unreferenced, preventing access to freed memory [1].

Exploitation

An attacker can exploit this by crafting a Vim script file containing nested function definitions that trigger the vulnerable code path. The attacker must convince a user to open the malicious file in Vim. No special privileges are required beyond normal file access. The race condition or specific sequence involves the compile_nested_function function freeing the function reference and then attempting to use the local variable pointer, leading to a use-after-free condition [1].

Impact

Successful exploitation can lead to memory corruption, potentially resulting in a denial of service (crash) or arbitrary code execution in the context of the Vim process. The vulnerability has a CVSS score of 7.8 (High) [3].

Mitigation

The vulnerability is fixed in Vim version 9.0.0221, released on 2022-08-17 [1]. Users should upgrade to this version or later. Gentoo Linux recommends upgrading to >=app-editors/vim-9.0.1157 [3]. No workaround is available; updating is the only mitigation.

References
  1. patch 9.0.0221: accessing freed memory if compiling nested function f… · vim/vim@1889f49
  2. Multiple Vulnerabilities (GLSA 202305-16) — Gentoo security

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

39

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Use-after-free due to a dangling pointer to a local variable (`lvar`) that may be freed when `compile_def_function()` fails during nested function compilation."

Attack vector

An attacker can trigger a use-after-free by providing a crafted Vim script that defines a nested function whose compilation fails (e.g., a syntax error inside the nested function). When `compile_def_function()` fails, `func_ptr_unref(ufunc)` may free the function reference, which in turn can free the local variable (`lvar`) that was previously reserved via `reserve_local()`. The code then continues to access `lvar->lv_name` without checking whether the pointer is still valid [ref_id=1].

Affected code

The vulnerable code is in `compile_nested_function()` in Vim's source. The local variable `lvar` was declared inside an inner `else` block and its pointer was used after `compile_def_function()` could fail and free the underlying memory [ref_id=1].

What the fix does

The patch moves the declaration of `lvar` outside the inner scope (initializing it to NULL) and, after `compile_def_function()` fails, checks `if (lvar != NULL)` before writing to `lvar->lv_name`. Setting `*lvar->lv_name = '/'` marks the local variable as unusable. This prevents the use-after-free by ensuring the pointer is only dereferenced when it is still valid [ref_id=1].

Preconditions

  • inputAttacker must supply a Vim script that defines a nested function whose compilation fails (e.g., a syntax error inside the nested function body).
  • authThe victim must open or execute the crafted script in Vim (e.g., via `:source` or opening a file with modelines).

Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.