VYPR
← All advisories
Unrated severityNVD Advisory· Published Aug 25, 2022· Updated Aug 3, 2024

NULL Pointer Dereference in vim/vim

CVE-2022-2980

Description

A null pointer dereference in Vim's mouse handling allows crash via crafted mouse input. Fixed in version 9.0.0259.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A null pointer dereference in Vim's mouse handling allows crash via crafted mouse input. Fixed in version 9.0.0259.

Vulnerability

A NULL pointer dereference vulnerability exists in the do_mouse function in Vim versions prior to 9.0.0259. The issue occurs when the TabPageIdxs pointer is accessed without a NULL check, leading to a crash. The fix introduces a check if (TabPageIdxs != NULL) before handling tab page clicks [1].

Exploitation

An attacker can trigger this vulnerability by sending a crafted mouse event to Vim, such as a click on the tab page line before it is fully initialized. The attacker needs the ability to send mouse input to Vim (e.g., via terminal mouse support). No authentication is required; the attack can be performed remotely if Vim accepts mouse events.

Impact

Successful exploitation causes a denial of service (crash) due to a segmentation fault. The impact is limited to availability; there is no known code execution or data breach.

Mitigation

The vulnerability is fixed in Vim version 9.0.0259 [1]. Users should upgrade to this version or later. For affected distributions, Gentoo recommends upgrading to version 9.0.1157 or later [3]. No workaround is available.

References
  1. patch 9.0.0259: crash with mouse click when not initialized · vim/vim@8052575
  2. Multiple Vulnerabilities (GLSA 202305-16) — Gentoo security

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

41

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing NULL-pointer check before dereferencing `TabPageIdxs` in `do_mouse()` when handling mouse clicks on the tab line."

Attack vector

An attacker can trigger a NULL pointer dereference by sending a mouse click event to Vim before the tab-page line has been initialized. The crash occurs because `do_mouse()` unconditionally reads `TabPageIdxs[mouse_col]` when `is_drag` is true and `in_tab_line` is set, without first verifying that `TabPageIdxs` is non-NULL [ref_id=1]. This can be exploited remotely if Vim is used to process attacker-controlled input (e.g., a crafted file or terminal sequence) with the mouse enabled.

Affected code

The vulnerability is in the `do_mouse()` function in Vim's source code. The code accesses the global array `TabPageIdxs` without first checking whether it has been initialized, which occurs when the tab-page line has not been set up yet.

What the fix does

The patch wraps the entire tab-page line handling block inside a guard `if (TabPageIdxs != NULL)` so that the code is only executed when the tab-page line has been initialized [ref_id=1]. This prevents the NULL pointer dereference by skipping the tab-page mouse logic entirely when `TabPageIdxs` is still NULL. A regression test (`Test_mouse_click_in_tab`) was also added to confirm the fix.

Preconditions

  • configVim must be compiled with mouse support (e.g., 'set mouse=a')
  • inputAn attacker must be able to supply input that causes Vim to process a mouse click event before tab-page initialization

Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.