Use After Free in vim/vim
Description
A use-after-free vulnerability in Vim's 'quickfixtextfunc' option can be triggered under recursive calls, potentially leading to memory corruption.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A use-after-free vulnerability in Vim's 'quickfixtextfunc' option can be triggered under recursive calls, potentially leading to memory corruption.
Vulnerability
A use-after-free vulnerability exists in Vim prior to version 9.0.0260, specifically in the call_qftf_func() function handling the 'quickfixtextfunc' option. When the function is called recursively (e.g., via side effects in a user-defined function), the freed memory could be accessed because the code did not properly guard against reentrancy. The commit [1] introduces a static recursive flag to prevent such recursive invocations.
Exploitation
An attacker would need to convince a user to open a specially crafted file (or trigger a quickfix list operation) that causes the 'quickfixtextfunc' option to be invoked recursively. The attacker does not need network access or authentication, only the ability to supply content that triggers the vulnerable code path via user interaction (e.g., opening a file in Vim or running a quickfix command). The recursive call leads to use of freed memory.
Impact
Successful exploitation could lead to memory corruption, potentially resulting in a denial of service (crash) or, depending on memory layout, arbitrary code execution. The vulnerability affects the confidentiality, integrity, and availability of the Vim process [1][3].
Mitigation
The fix is included in Vim version 9.0.0260, released on 2022-08-25 [1]. Users should upgrade to at least that version. Gentoo users can update to >=9.0.1157 as per GLSA 202305-16 [3]. No workaround is available; the only mitigation is to apply the patch.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
41- osv-coords39 versionspkg:rpm/opensuse/vim&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/vim&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/vim&distro=openSUSE%20Leap%20Micro%205.2pkg:rpm/opensuse/vim&distro=openSUSE%20Leap%20Micro%205.3pkg:rpm/opensuse/vim&distro=openSUSE%20Tumbleweedpkg:rpm/suse/vim&distro=SUSE%20Enterprise%20Storage%206pkg:rpm/suse/vim&distro=SUSE%20Enterprise%20Storage%207pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-ESPOSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-ESPOSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-ESPOSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Micro%205.1pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Micro%205.2pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Micro%205.3pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP3pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP4pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP3pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP4pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCLpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-BCLpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-BCLpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-BCLpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2015-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2pkg:rpm/suse/vim&distro=SUSE%20Manager%20Proxy%204.1pkg:rpm/suse/vim&distro=SUSE%20Manager%20Retail%20Branch%20Server%204.1pkg:rpm/suse/vim&distro=SUSE%20Manager%20Server%204.1pkg:rpm/suse/vim&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/vim&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209
< 9.0.0814-150000.5.28.1+ 38 more
- (no CPE)range: < 9.0.0814-150000.5.28.1
- (no CPE)range: < 9.0.0814-150000.5.28.1
- (no CPE)range: < 9.0.0814-150000.5.28.1
- (no CPE)range: < 9.0.0814-150000.5.28.1
- (no CPE)range: < 9.0.0453-2.1
- (no CPE)range: < 9.0.0814-150000.5.28.1
- (no CPE)range: < 9.0.0814-150000.5.28.1
- (no CPE)range: < 9.0.0814-150000.5.28.1
- (no CPE)range: < 9.0.0814-150000.5.28.1
- (no CPE)range: < 9.0.0814-150000.5.28.1
- (no CPE)range: < 9.0.0814-150000.5.28.1
- (no CPE)range: < 9.0.0814-150000.5.28.1
- (no CPE)range: < 9.0.0814-150000.5.28.1
- (no CPE)range: < 9.0.0814-150000.5.28.1
- (no CPE)range: < 9.0.0814-150000.5.28.1
- (no CPE)range: < 9.0.0814-150000.5.28.1
- (no CPE)range: < 9.0.0814-150000.5.28.1
- (no CPE)range: < 9.0.0814-150000.5.28.1
- (no CPE)range: < 9.0.0814-150000.5.28.1
- (no CPE)range: < 9.0.0814-150000.5.28.1
- (no CPE)range: < 9.0.0814-17.9.1
- (no CPE)range: < 9.0.0814-17.9.1
- (no CPE)range: < 9.0.0814-17.9.1
- (no CPE)range: < 9.0.0814-17.9.1
- (no CPE)range: < 9.0.0814-150000.5.28.1
- (no CPE)range: < 9.0.0814-150000.5.28.1
- (no CPE)range: < 9.0.0814-150000.5.28.1
- (no CPE)range: < 9.0.0814-150000.5.28.1
- (no CPE)range: < 9.0.0814-150000.5.28.1
- (no CPE)range: < 9.0.0814-17.9.1
- (no CPE)range: < 9.0.0814-17.9.1
- (no CPE)range: < 9.0.0814-150000.5.28.1
- (no CPE)range: < 9.0.0814-150000.5.28.1
- (no CPE)range: < 9.0.0814-150000.5.28.1
- (no CPE)range: < 9.0.0814-150000.5.28.1
- (no CPE)range: < 9.0.0814-150000.5.28.1
- (no CPE)range: < 9.0.0814-150000.5.28.1
- (no CPE)range: < 9.0.0814-17.9.1
- (no CPE)range: < 9.0.0814-17.9.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing recursion guard in call_qftf_func allows re-entrant execution on freed quickfix list memory."
Attack vector
An attacker can trigger a use-after-free by crafting a scenario where `call_qftf_func` is invoked recursively. When the `'quickfixtextfunc'` option is set, the function calls back into user-defined code that may itself trigger another quickfix text update, causing the function to re-enter before the first invocation has finished. This recursive call operates on freed or about-to-be-freed memory, leading to a use-after-free condition [ref_id=1].
Affected code
The vulnerability is in the `call_qftf_func` function in Vim's quickfix code. The function retrieves text via the user-supplied `'quickfixtextfunc'` option, but it could be called recursively while the quickfix list or other internal data structures were in an inconsistent state, leading to a use-after-free.
What the fix does
The patch introduces a static `recursive` flag in `call_qftf_func`. On entry, if `recursive` is already `TRUE`, the function returns `NULL` immediately, preventing re-entrancy. The flag is set to `TRUE` at the start of the function and reset to `FALSE` on every exit path (including error paths). This simple guard ensures the function cannot be called recursively, eliminating the use-after-free condition [ref_id=1].
Preconditions
- configThe 'quickfixtextfunc' option must be set to a user-defined function that can trigger a recursive quickfix update.
- inputThe attacker must be able to supply or influence the quickfix list content to cause the recursive invocation.
Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XWOJOA7PZZAMBI5GFTL6PWHXMWSDLUXL/mitrevendor-advisory
- security.gentoo.org/glsa/202305-16mitrevendor-advisory
- github.com/vim/vim/commit/d6c67629ed05aae436164eec474832daf8ba7420mitre
- huntr.dev/bounties/53f53d9a-ba8a-4985-b7ba-23efbe6833bemitre
News mentions
0No linked articles in our index yet.