VYPR
← All advisories
Unrated severityNVD Advisory· Published Sep 8, 2022· Updated Aug 3, 2024

NULL Pointer Dereference in vim/vim

CVE-2022-3153

Description

A NULL pointer dereference in Vim's assert_fails() function allows denial of service via crafted arguments.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A NULL pointer dereference in Vim's assert_fails() function allows denial of service via crafted arguments.

Vulnerability

A NULL pointer dereference vulnerability exists in the assert_fails() function of Vim prior to version 9.0.0404. When the function is called with invalid arguments, such as a Dictionary where a String is expected, the code path does not properly validate the argument type, leading to a NULL pointer dereference. This was fixed in commit 1540d334a04d874c2aa9d26b82dbbcd4bc5a78de [1].

Exploitation

An attacker can exploit this vulnerability by crafting a file or command that invokes assert_fails() with a Dictionary as the second argument (e.g., assert_fails('xxx', #{one: 1})). The attacker must convince a user to open the malicious file or execute the crafted command in Vim. No authentication or special privileges are required beyond user interaction.

Impact

Successful exploitation causes Vim to crash due to a NULL pointer dereference, resulting in a denial of service. The vulnerability does not allow arbitrary code execution or privilege escalation; the impact is limited to application termination.

Mitigation

The vulnerability is fixed in Vim version 9.0.0404 and later. Users should upgrade to at least this version. The Gentoo security advisory (GLSA 202305-16) recommends upgrading to >=app-editors/vim-9.0.1157 [2]. No workaround is available; upgrading is the only mitigation.

References
  1. patch 9.0.0404: crash when passing invalid arguments to assert_fails() · vim/vim@1540d33
  2. Multiple Vulnerabilities (GLSA 202305-16) — Gentoo security

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

41

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing type validation in assert_fails() allows a Dictionary to be treated as a String, causing a NULL pointer dereference."

Attack vector

An attacker can trigger a NULL pointer dereference by calling `assert_fails()` with a Dictionary (e.g., `#{one: 1}`) as the second or third argument instead of a String. This causes Vim to attempt to use the Dictionary as a String, leading to a crash. The attack requires the ability to execute Vimscript commands, such as through a crafted file that is opened in Vim [ref_id=1].

Affected code

The vulnerability is in the `assert_fails()` function in Vim's source code. The patch modifies the test file `src/testdir/test_assert.vim` and the corresponding C implementation (not shown in the diff) to handle invalid argument types passed to `assert_fails()`. The crash occurs when a Dictionary is passed where a String is expected for the second or third argument.

What the fix does

The patch adds test cases that verify `assert_fails()` properly throws error "E731: Using a Dictionary as a String" when a Dictionary is passed instead of a String. The underlying fix (not fully shown in the diff) adds a type check in the C implementation of `assert_fails()` to validate that the second and third arguments are Strings, returning an error instead of dereferencing a NULL pointer. This closes the vulnerability by preventing the crash through proper input validation [ref_id=1].

Preconditions

  • inputAttacker must be able to execute Vimscript commands, e.g., by tricking a user into opening a crafted file in Vim.
  • inputThe crafted Vimscript must call assert_fails() with a Dictionary as the second or third argument.

Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

3

News mentions

0

No linked articles in our index yet.