VYPR
← All advisories
Unrated severityNVD Advisory· Published Aug 23, 2022· Updated Aug 3, 2024

Use After Free in vim/vim

CVE-2022-2946

Description

Use-after-free in Vim's tag functionality when 'tagfunc' deletes the buffer, allowing potential memory corruption.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Use-after-free in Vim's tag functionality when 'tagfunc' deletes the buffer, allowing potential memory corruption.

Vulnerability

A use-after-free vulnerability exists in Vim prior to version 9.0.0246 [1]. The bug resides in the do_tag function in src/tag.c. When the tagstack is used and a tagfunc is set, the code accesses tagstack[tagstackidx].tagname after the tag function may have deleted the buffer containing the tagstack, leading to use of freed memory [1].

Exploitation

An attacker with the ability to set the tagfunc option and trigger tag completion (e.g., by executing :tag) can cause the tagfunc to delete the current buffer (e.g., using bwipe), which frees the tagstack memory. Subsequent access to the tagstack results in a use-after-free condition [1].

Impact

Successful exploitation could lead to memory corruption, potentially allowing arbitrary code execution or denial of service. The vulnerability has a CVSS score based on the provided information, but the impact is limited to scenarios where the attacker can control the tagfunc and trigger the vulnerable code path.

Mitigation

The vulnerability is fixed in Vim version 9.0.0246, released with commit adce965 [1]. Users should upgrade to at least this version. As of the publication date, no workaround is known [3]. The Gentoo security advisory recommends updating to Vim 9.0.1157 or later [3].

References
  1. patch 9.0.0246: using freed memory when 'tagfunc' deletes the buffer · vim/vim@adce965
  2. Multiple Vulnerabilities (GLSA 202305-16) — Gentoo security

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

39

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Use-after-free: the code directly referenced `tagstack[tagstackidx].tagname` without making a copy, so when 'tagfunc' deletes the buffer the tagstack memory is freed and the pointer becomes dangling."

Attack vector

An attacker can craft a malicious file that, when opened in Vim, triggers a 'tagfunc' callback. If that callback deletes the current buffer (e.g., via `:bwipe`), the tagstack memory is freed. The subsequent use of `tagstack[tagstackidx].tagname` then reads from freed memory, causing a use-after-free condition [ref_id=1]. The attacker needs to supply a file that sets `tagfunc` and then causes a tag lookup (e.g., via `:tag`) while the function wipes the buffer.

Affected code

The vulnerability is in the `do_tag()` function in Vim's source. The patch modifies the handling of `tagstack[tagstackidx].tagname` — before the fix, the code directly used this pointer without making a copy, which could become a dangling reference if the 'tagfunc' callback deletes the buffer (and thus the tagstack) during execution [ref_id=1].

What the fix does

The patch introduces a local `tofree` variable and uses `vim_strsave()` to make a copy of `tagstack[tagstackidx].tagname` before calling 'tagfunc'. This ensures that even if the tagstack is freed during the callback, the code operates on a safe heap-allocated copy. The copy is freed at the end of `do_tag()` via `vim_free(tofree)`. A new test function `Test_tagfunc_wipes_buffer()` validates the fix by setting a tagfunc that wipes the buffer and asserting that the tag command fails with error E987 instead of crashing [ref_id=1].

Preconditions

  • inputThe user must open a file that sets a 'tagfunc' which deletes the buffer when invoked
  • inputThe user must trigger a tag lookup (e.g., via :tag command) while the tagfunc is active

Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.