VYPR
← All advisories
Unrated severityNVD Advisory· Published Aug 22, 2022· Updated Aug 3, 2024

NULL Pointer Dereference in vim/vim

CVE-2022-2923

Description

A NULL pointer dereference in Vim's spell-checking code causes a crash when using :mkspell with an empty .dic file, fixed in 9.0.0240.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A NULL pointer dereference in Vim's spell-checking code causes a crash when using :mkspell with an empty .dic file, fixed in 9.0.0240.

Vulnerability

A NULL pointer dereference vulnerability exists in the sug_filltree function in Vim's spell-checking code, specifically when processing an empty .dic file via the :mkspell command. The crash occurs because the function assumes sl_fbyts and sl_fidxs pointers are non-NULL, but they remain NULL when a dictionary file has no actual word entries. This was fixed in commit [1] and affects all versions prior to 9.0.0240.

Exploitation

An attacker must provide a .dic file and a corresponding .aff affix file via the :mkspell command. The .dic file must contain only a header line (e.g., '1') with no actual word definitions. No authentication or special privileges are needed beyond the ability to write such files and invoke Vim's spell compilation. The attacker simply needs to run :mkspell! with the crafted files, triggering the crash [1].

Impact

Successful exploitation causes a denial of service via a NULL pointer dereference and program crash. The crash occurs in the spell tree traversal loop, leading to immediate termination of the Vim process. No code execution, data disclosure, or privilege escalation is indicated in the available references.

Mitigation

A fix was released in Vim version 9.0.0240 on 2022-08-22 [1]. Users should upgrade to that version or later (e.g., 9.0.1157 via Gentoo [3]). There are no workarounds beyond avoiding the use of :mkspell with untrusted or empty .dic files.

References
  1. patch 9.0.0240: crash when using ":mkspell" with an empty .dic file · vim/vim@6669de1
  2. Multiple Vulnerabilities (GLSA 202305-16) — Gentoo security

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

39

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing NULL-pointer check in sug_filltree() when the case-folded word tree is empty."

Attack vector

An attacker provides a crafted `.dic` file that is empty (contains no word entries) along with a valid `.aff` affix file, then invokes `:mkspell` to compile them into a `.spl` file. The spell-compilation code reaches `sug_filltree()`, which attempts to traverse the case-folded word tree via pointers that were never allocated because the dictionary had no words, causing a NULL pointer dereference and a crash [ref_id=1].

Affected code

The crash occurs in the `sug_filltree()` function in `src/spell.c`. When `:mkspell` is invoked with an empty `.dic` file, the case-folded tree pointers `sl_fbyts` and `sl_fidxs` in the `slang_T` structure remain NULL, and the function dereferences them without a check [ref_id=1].

What the fix does

The patch adds a guard in `sug_filltree()` that checks whether `byts` or `idxs` (derived from `sl_fbyts` and `sl_fidxs`) are NULL, and returns `FAIL` immediately if so [ref_id=1]. This prevents the function from iterating over a non-existent tree, eliminating the NULL pointer dereference. The accompanying test `Test_mkspell_empty_dic()` confirms that `:mkspell` with an empty `.dic` file no longer crashes [ref_id=1].

Preconditions

  • inputAttacker must supply an empty .dic file (no word entries) and a valid .aff affix file.
  • inputThe victim must run :mkspell in Vim to compile the .dic/.aff pair into a .spl file.

Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.