Use After Free in vim/vim
Description
A use-after-free vulnerability in Vim's quickfix buffer handling when 'quickfixtextfunc' is set can cause a crash, fixed in version 9.0.0322.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A use-after-free vulnerability in Vim's quickfix buffer handling when 'quickfixtextfunc' is set can cause a crash, fixed in version 9.0.0322.
Vulnerability
A use-after-free vulnerability exists in Vim's quickfix buffer filling function qf_fill_buffer in src/quickfix.c. When the quickfixtextfunc option is set and the quickfix list is empty (i.e., qfl->qf_start is NULL), the code path dereferences a freed pointer, leading to a crash. The issue affects Vim versions prior to 9.0.0322. The fix adds a NULL check for qfl->qf_start before proceeding [1].
Exploitation
An attacker can trigger the vulnerability by crafting a Vim script that sets quickfixtextfunc and then invokes a quickfix command (e.g., cgetfile) on an empty list. The test case in the commit shows reproducing the crash by running a separate Vim instance with a script that executes cgetexpr '0', cope, sets &quickfixtextfunc, and then cgetfile [1]. No authentication is required if the attacker can supply a malicious file or persuade a user to run the script.
Impact
Successful exploitation results in a use-after-free condition, causing Vim to crash (denial of service). The crash occurs in the context of the Vim process; no code execution is demonstrated in the available references, but use-after-free vulnerabilities can potentially be leveraged for arbitrary code execution depending on memory layout.
Mitigation
The vulnerability is fixed in Vim version 9.0.0322, released on 2022-08-30. Users should update to this version or later. No workaround is documented; the fix is a one-line NULL check. Fedora packages were announced but the content is inaccessible; users should apply the official patch [1].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
41- osv-coords39 versionspkg:rpm/opensuse/vim&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/vim&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/vim&distro=openSUSE%20Leap%20Micro%205.2pkg:rpm/opensuse/vim&distro=openSUSE%20Leap%20Micro%205.3pkg:rpm/opensuse/vim&distro=openSUSE%20Tumbleweedpkg:rpm/suse/vim&distro=SUSE%20Enterprise%20Storage%206pkg:rpm/suse/vim&distro=SUSE%20Enterprise%20Storage%207pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-ESPOSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-ESPOSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-ESPOSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Micro%205.1pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Micro%205.2pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Micro%205.3pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP3pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP4pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP3pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP4pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCLpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-BCLpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-BCLpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-BCLpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2015-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2pkg:rpm/suse/vim&distro=SUSE%20Manager%20Proxy%204.1pkg:rpm/suse/vim&distro=SUSE%20Manager%20Retail%20Branch%20Server%204.1pkg:rpm/suse/vim&distro=SUSE%20Manager%20Server%204.1pkg:rpm/suse/vim&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/vim&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209
< 9.0.0814-150000.5.28.1+ 38 more
- (no CPE)range: < 9.0.0814-150000.5.28.1
- (no CPE)range: < 9.0.0814-150000.5.28.1
- (no CPE)range: < 9.0.0814-150000.5.28.1
- (no CPE)range: < 9.0.0814-150000.5.28.1
- (no CPE)range: < 9.0.0453-2.1
- (no CPE)range: < 9.0.0814-150000.5.28.1
- (no CPE)range: < 9.0.0814-150000.5.28.1
- (no CPE)range: < 9.0.0814-150000.5.28.1
- (no CPE)range: < 9.0.0814-150000.5.28.1
- (no CPE)range: < 9.0.0814-150000.5.28.1
- (no CPE)range: < 9.0.0814-150000.5.28.1
- (no CPE)range: < 9.0.0814-150000.5.28.1
- (no CPE)range: < 9.0.0814-150000.5.28.1
- (no CPE)range: < 9.0.0814-150000.5.28.1
- (no CPE)range: < 9.0.0814-150000.5.28.1
- (no CPE)range: < 9.0.0814-150000.5.28.1
- (no CPE)range: < 9.0.0814-150000.5.28.1
- (no CPE)range: < 9.0.0814-150000.5.28.1
- (no CPE)range: < 9.0.0814-150000.5.28.1
- (no CPE)range: < 9.0.0814-150000.5.28.1
- (no CPE)range: < 9.0.0814-17.9.1
- (no CPE)range: < 9.0.0814-17.9.1
- (no CPE)range: < 9.0.0814-17.9.1
- (no CPE)range: < 9.0.0814-17.9.1
- (no CPE)range: < 9.0.0814-150000.5.28.1
- (no CPE)range: < 9.0.0814-150000.5.28.1
- (no CPE)range: < 9.0.0814-150000.5.28.1
- (no CPE)range: < 9.0.0814-150000.5.28.1
- (no CPE)range: < 9.0.0814-150000.5.28.1
- (no CPE)range: < 9.0.0814-17.9.1
- (no CPE)range: < 9.0.0814-17.9.1
- (no CPE)range: < 9.0.0814-150000.5.28.1
- (no CPE)range: < 9.0.0814-150000.5.28.1
- (no CPE)range: < 9.0.0814-150000.5.28.1
- (no CPE)range: < 9.0.0814-150000.5.28.1
- (no CPE)range: < 9.0.0814-150000.5.28.1
- (no CPE)range: < 9.0.0814-150000.5.28.1
- (no CPE)range: < 9.0.0814-17.9.1
- (no CPE)range: < 9.0.0814-17.9.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Use-after-free when accessing a freed quickfix list whose `qf_start` pointer has been invalidated."
Attack vector
An attacker can trigger this use-after-free by crafting a Vim script that sets the `quickfixtextfunc` option and then invokes `cgetfile` or `cgetexpr` on an empty or invalid quickfix list [ref_id=1]. When the quickfix list is empty, the list structure is freed but `qf_fill_buffer()` does not check whether `qf_start` is NULL before dereferencing it, leading to a crash [ref_id=1]. The attack requires the victim to open a malicious file or execute a crafted Vim script.
Affected code
The vulnerable function is `qf_fill_buffer()` in the Vim source, where the check `if (qfl != NULL)` was insufficient [ref_id=1]. The patch modifies the condition to `if (qfl != NULL && qfl->qf_start != NULL)` at the same location [ref_id=1].
What the fix does
The patch adds a NULL check for `qfl->qf_start` in `qf_fill_buffer()` before proceeding to display the quickfix list [ref_id=1]. Previously the code only checked `qfl != NULL`; after the fix, both `qfl` and `qfl->qf_start` must be non-NULL [ref_id=1]. This prevents dereferencing a freed list pointer when the quickfix list is empty. The test `Test_empty_list_quickfixtextfunc()` reproduces the crash by running Vim with a script that sets `quickfixtextfunc` and calls `cgetfile` on an empty list [ref_id=1].
Preconditions
- configThe 'quickfixtextfunc' option must be set to a function that triggers a quickfix list operation.
- inputThe attacker must supply a Vim script that calls cgetfile or cgetexpr on an empty quickfix list.
Reproduction
The test in the patch reproduces the crash by writing a Vim script to a file and running it in a separate Vim instance [ref_id=1]:
``` func s:Func(o) cgetexpr '0' endfunc cope let &quickfixtextfunc = 's:Func' cgetfile [ ```
Save this script as `Xquickfixtextfunc` and run: `vim -e -s -S Xquickfixtextfunc -c qa` [ref_id=1].
Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RY3GEN2Q46ZJKSNHTN2XB6B3VAJBEILN/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VHJ6LCLHGGVI2U6ZHXHTZ2PYP4STC23N/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XWOJOA7PZZAMBI5GFTL6PWHXMWSDLUXL/mitrevendor-advisoryx_refsource_FEDORA
- github.com/vim/vim/commit/4f1b083be43f351bc107541e7b0c9655a5d2c0bbmitrex_refsource_MISC
- huntr.dev/bounties/af4c2f2d-d754-4607-b565-9e92f3f717b5mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.