Use After Free in vim/vim
Description
Use-after-free in Vim's expression evaluation with multiple line breaks allows memory corruption; fixed in 9.0.0225.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Use-after-free in Vim's expression evaluation with multiple line breaks allows memory corruption; fixed in 9.0.0225.
Vulnerability
A use-after-free vulnerability exists in Vim versions prior to 9.0.0225. The bug resides in the expression evaluation code (eval.c) when processing multiple line breaks within an expression. The evalarg structure's eval_tofree pointer could be freed prematurely while still being referenced, leading to a use-after-free condition. The fix introduced functions init_evalarg, free_eval_tofree_later, and clear_evalarg to properly manage deferred freeing of memory [1].
Exploitation
An attacker can trigger this vulnerability by crafting a file or input that contains multiple line breaks inside an expression (e.g., in a Vim script or during editing). No special privileges are required; the user only needs to open the malicious file or execute the crafted expression in Vim. The sequence involves Vim's expression parser encountering line breaks that cause the eval_tofree pointer to be freed while still in use, leading to a use-after-free [1].
Impact
Successful exploitation can result in memory corruption, potentially leading to arbitrary code execution or denial of service. The attacker may gain the ability to execute code in the context of the Vim process, which could lead to further compromise of the system [1][3].
Mitigation
The vulnerability is fixed in Vim version 9.0.0225, released on 2022-08-19. Users should upgrade to this version or later. Gentoo Linux recommends upgrading to version 9.0.1157 or higher [3]. No workarounds are known; updating is the only reliable mitigation.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
39- osv-coords37 versionspkg:rpm/opensuse/vim&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/vim&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/vim&distro=openSUSE%20Leap%20Micro%205.2pkg:rpm/opensuse/vim&distro=openSUSE%20Tumbleweedpkg:rpm/suse/vim&distro=SUSE%20Enterprise%20Storage%206pkg:rpm/suse/vim&distro=SUSE%20Enterprise%20Storage%207pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-ESPOSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-ESPOSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-ESPOSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Micro%205.1pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Micro%205.2pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP3pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP4pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP3pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP4pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCLpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-BCLpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-BCLpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-BCLpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2015-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2pkg:rpm/suse/vim&distro=SUSE%20Manager%20Proxy%204.1pkg:rpm/suse/vim&distro=SUSE%20Manager%20Retail%20Branch%20Server%204.1pkg:rpm/suse/vim&distro=SUSE%20Manager%20Server%204.1pkg:rpm/suse/vim&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/vim&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209
< 9.0.0313-150000.5.25.1+ 36 more
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0453-2.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0814-17.9.1
- (no CPE)range: < 9.0.0814-17.9.1
- (no CPE)range: < 9.0.0814-17.9.1
- (no CPE)range: < 9.0.0814-17.9.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0814-17.9.1
- (no CPE)range: < 9.0.0814-17.9.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0313-150000.5.25.1
- (no CPE)range: < 9.0.0814-17.9.1
- (no CPE)range: < 9.0.0814-17.9.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Immediate freeing of `eval_tofree` in expression evaluation while other references to the memory still exist, leading to use-after-free."
Attack vector
An attacker can trigger a use-after-free by crafting a Vim script or command that contains multiple line breaks within an expression, causing the expression evaluator to free `eval_tofree` while a pointer to that memory is still in use elsewhere [ref_id=1]. The bug is reachable when Vim processes expressions that span multiple lines, such as in `:let` commands or other contexts where `evalarg` is used [ref_id=1]. No special privileges are required beyond the ability to supply or execute a malicious Vim script.
Affected code
The vulnerability is in the expression evaluation code in Vim's `eval.c`. The functions `skip_expr_concatenate` and `eval_next_line` directly called `vim_free(evalarg->eval_tofree)` before overwriting the pointer, which could leave dangling references if other parts of the code still held pointers into the freed memory [ref_id=1].
What the fix does
The patch introduces a new helper function `free_eval_tofree_later` that, instead of immediately freeing `evalarg->eval_tofree`, saves the pointer into a growable array (`eval_tofree_ga`) for deferred cleanup [ref_id=1]. The calls in `skip_expr_concatenate` and `eval_next_line` are changed from `vim_free(evalarg->eval_tofree)` to `free_eval_tofree_later(evalarg)`, ensuring the memory remains valid until `clear_evalarg` is called, which then frees all deferred entries [ref_id=1]. This prevents the use-after-free by keeping the old `eval_tofree` allocation alive until the expression evaluation is fully complete.
Preconditions
- inputAttacker must be able to supply or execute a Vim script containing expressions with multiple line breaks.
- configThe vulnerable code path is triggered during expression evaluation (e.g., :let commands or other multi-line expression contexts).
Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/C72HDIMR3KTTAO7QGTXWUMPBNFUFIBRD/mitrevendor-advisory
- security.gentoo.org/glsa/202305-16mitrevendor-advisory
- github.com/vim/vim/commit/91c7cbfe31bbef57d5fcf7d76989fc159f73ef15mitre
- huntr.dev/bounties/d1ac9817-825d-49ce-b514-1d5b12b6bdaamitre
News mentions
0No linked articles in our index yet.