VYPR
← All advisories
Unrated severityNVD Advisory· Published Sep 18, 2022· Updated Aug 3, 2024

Use After Free in vim/vim

CVE-2022-3235

Description

A use-after-free vulnerability in Vim's command-line window and BufEnter autocmd can lead to memory corruption when a freed buffer pointer is accessed.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A use-after-free vulnerability in Vim's command-line window and BufEnter autocmd can lead to memory corruption when a freed buffer pointer is accessed.

Vulnerability

A use-after-free vulnerability exists in Vim prior to version 9.0.0490. The bug is located in the getcmdline_int() function, where a pointer (b_im_ptr) to a buffer's b_p_iminsert or b_p_imsearch field was stored without tracking which buffer it belongs to. When the command-line window (cmdwin) triggers a BufEnter autocmd, the buffer can be freed, leaving the pointer dangling. The patch introduces a new variable b_im_ptr_buf to validate the buffer before dereferencing.

Exploitation

An attacker can exploit this vulnerability by crafting a sequence of Vim commands that trigger the command-line window with a BufEnter autocmd, which causes the target buffer to be freed. The attacker must be able to execute arbitrary Vim commands (e.g., via a malicious file that sets up autocmds and runs :normal). The race window involves the freed buffer's memory being reused before the dangling pointer is accessed.

Impact

Successful exploitation allows an attacker to access freed memory, leading to a use-after-free condition. This can result in memory corruption, potentially enabling arbitrary code execution or causing a denial of service crash. The attacker gains the privilege level of the Vim process.

Mitigation

The vulnerability is fixed in Vim version 9.0.0490, released on 2022-09-18 [1]. Users should upgrade to this version or later. No workarounds are available for earlier versions. Fedora package announcements are available but do not provide further details [2][3][4].

References
  1. patch 9.0.0490: using freed memory with cmdwin and BufEnter autocmd · vim/vim@1c3dd8d
  2. Making sure you're not a bot!
  3. Making sure you're not a bot!
  4. Making sure you're not a bot!

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

41

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Use-after-free: a pointer (`b_im_ptr`) into the current buffer is cached but not invalidated when a `BufEnter` autocommand switches buffers during command-line editing, causing the pointer to reference freed memory."

Attack vector

An attacker can trigger a use-after-free by crafting a file that, when opened, causes a `BufEnter` autocommand to switch buffers while the command-line window (`cmdwin`) is active. The sequence is: open a file that sets up a `BufEnter` autocommand (e.g., `au BufEnter * next 0| file`), then enter command-line mode (e.g., with `q/`). When the autocommand fires during command-line editing, `curbuf` changes and the previously saved `b_im_ptr` points into freed memory. The attacker does not need authentication if they can trick a victim into opening the crafted file [ref_id=1].

Affected code

The vulnerability is in the `getcmdline_int()` function in Vim's command-line editing code. The patch shows that a pointer `b_im_ptr` was stored pointing into `curbuf` (the current buffer), but when a `BufEnter` autocommand switches buffers during command-line editing, `curbuf` changes and `b_im_ptr` becomes a dangling pointer to freed memory. The fix introduces a companion variable `b_im_ptr_buf` to track which buffer the pointer belongs to, and adds `buf_valid()` checks before dereferencing `b_im_ptr`.

What the fix does

The patch introduces `b_im_ptr_buf`, a pointer to the buffer that `b_im_ptr` belongs to, set alongside `b_im_ptr` at initialization. Before dereferencing `b_im_ptr` in the `Ctrl_HAT` handler and in the `im_save_status` call, the code now checks `buf_valid(b_im_ptr_buf)` — if the buffer has been freed, `b_im_ptr` is treated as NULL (or skipped) instead of being used as a dangling pointer. This closes the use-after-free by ensuring the pointer is only used when its originating buffer is still valid [ref_id=1].

Preconditions

  • inputVictim must open a file that defines a BufEnter autocommand which switches buffers
  • authAttacker must trick the victim into opening the crafted file (no authentication required)

Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

7

News mentions

0

No linked articles in our index yet.