Use After Free in vim/vim

Vulnerability

CVE-2022-3016 is a use-after-free vulnerability in Vim, affecting versions prior to 9.0.0286. The bug resides in the quickfix/location list jump code, specifically in the functions qf_jump_edit_buffer and qf_jump_open_window. When Vim opens a buffer during a quickfix or location list jump, an autocommand can modify the list, causing Vim to use freed memory. The patch introduces a new return value QF_ABORT to handle this case and avoid accessing freed memory [1].

Exploitation

An attacker must first craft a Vim session where an autocommand is set to modify the quickfix or location list when a buffer is opened. The attacker then needs to trigger a jump to an entry in that list, for example by using the :cnext or :lnext commands. When Vim executes the jump, the autocommand runs and frees the list while Vim still holds a reference to it, leading to a use-after-free condition. No authentication or special network position is required if the attacker can supply a malicious Vim script or file that triggers the autocommand [1].

Impact

Successful exploitation can lead to a denial of service (crash) or potentially arbitrary code execution in the context of the Vim process, depending on how the freed memory is reused. The vulnerability has a CVSS score of 9.8 (critical), indicating high impact on confidentiality, integrity, and availability. The Gentoo advisory lists this as part of a set of vulnerabilities that could result in denial of service [3].

Mitigation

The vulnerability is fixed in Vim version 9.0.0286. Users should upgrade to this version or later. The patch [1] addresses the use-after-free by checking the list validity and returning a new status code. Gentoo recommends updating to >=app-editors/vim-9.0.1157 or >=app-editors/gvim-9.0.1157 [3]. No known workaround exists for unpatched versions. The CVE is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.