Unrated severityNVD Advisory· Published Nov 25, 2022· Updated Nov 3, 2025

Heap-based Buffer Overflow in vim/vim

CVE-2022-4141

Description

Heap buffer overflow in Vim ≤9.0.0946 via CTRL-W gf in substitute expression allows arbitrary code execution.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Heap buffer overflow in Vim ≤9.0.0946 via CTRL-W gf in substitute expression allows arbitrary code execution.

Vulnerability

A heap-based buffer overflow exists in Vim versions 9.0.0946 and below. The flaw occurs in the substitute command when the right-hand side expression contains a CTRL-W gf sequence that attempts to open another file. The code path does not properly validate text locking, leading to an invalid memory access [1].

Exploitation

An attacker can exploit this vulnerability by crafting a malicious file that, when opened in Vim, triggers a substitute command with an expression containing CTRL-W gf. The user must execute the substitute command (e.g., via :s/// or similar) while the crafted file is active. No authentication is required beyond the user opening the file. The sequence of steps involves the attacker providing the file, the user opening it, and the user running the substitute command, which then causes the heap overflow [1].

Impact

Successful exploitation results in heap memory corruption, which can lead to arbitrary code execution or denial of service. The attacker gains the privileges of the user running Vim, potentially compromising the system [1].

Mitigation

The vulnerability is fixed in Vim version 9.0.0947, as per commit cc762a48d42b579fb7bdec2c614636b830342dd5 [1]. Gentoo security advisory GLSA 202305-16 recommends upgrading to Vim ≥9.0.1157 [4]. No workaround is available; users should update to the latest patched version.

References

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Vim/Vimllm-fuzzy2 versions
<=9.0.0946+ 1 more
- (no CPE)range: <=9.0.0946
- (no CPE)range: unspecified
osv-coords36 versions
pkg:rpm/opensuse/vim&distro=openSUSE%20Leap%2015.3 pkg:rpm/opensuse/vim&distro=openSUSE%20Leap%2015.4 pkg:rpm/opensuse/vim&distro=openSUSE%20Leap%20Micro%205.2 pkg:rpm/opensuse/vim&distro=openSUSE%20Leap%20Micro%205.3 pkg:rpm/suse/vim&distro=SUSE%20Enterprise%20Storage%206 pkg:rpm/suse/vim&distro=SUSE%20Enterprise%20Storage%207 pkg:rpm/suse/vim&distro=SUSE%20Enterprise%20Storage%207.1 pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSS pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSS pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-ESPOS pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSS pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Micro%205.1 pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Micro%205.2 pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Micro%205.3 pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP4 pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP4 pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Real%20Time%2015%20SP3 pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCL pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4-LTSS pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5 pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSS pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSS pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP3-LTSS pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4 pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5 pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1 pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2 pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP3 pkg:rpm/suse/vim&distro=SUSE%20Manager%20Proxy%204.1 pkg:rpm/suse/vim&distro=SUSE%20Manager%20Proxy%204.2 pkg:rpm/suse/vim&distro=SUSE%20Manager%20Retail%20Branch%20Server%204.1 pkg:rpm/suse/vim&distro=SUSE%20Manager%20Retail%20Branch%20Server%204.2 pkg:rpm/suse/vim&distro=SUSE%20Manager%20Server%204.1 pkg:rpm/suse/vim&distro=SUSE%20Manager%20Server%204.2 pkg:rpm/suse/vim&distro=SUSE%20OpenStack%20Cloud%209 pkg:rpm/suse/vim&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209
< 9.0.1040-150000.5.31.1+ 35 more
- (no CPE)range: < 9.0.1040-150000.5.31.1
- (no CPE)range: < 9.0.1040-150000.5.31.1
- (no CPE)range: < 9.0.1040-150000.5.31.1
- (no CPE)range: < 9.0.1040-150000.5.31.1
- (no CPE)range: < 9.0.1040-150000.5.31.1
- (no CPE)range: < 9.0.1040-150000.5.31.1
- (no CPE)range: < 9.0.1040-150000.5.31.1
- (no CPE)range: < 9.0.1040-150000.5.31.1
- (no CPE)range: < 9.0.1040-150000.5.31.1
- (no CPE)range: < 9.0.1040-150000.5.31.1
- (no CPE)range: < 9.0.1040-150000.5.31.1
- (no CPE)range: < 9.0.1040-150000.5.31.1
- (no CPE)range: < 9.0.1040-150000.5.31.1
- (no CPE)range: < 9.0.1040-150000.5.31.1
- (no CPE)range: < 9.0.1040-150000.5.31.1
- (no CPE)range: < 9.0.1040-150000.5.31.1
- (no CPE)range: < 9.0.1040-150000.5.31.1
- (no CPE)range: < 9.0.1234-17.12.1
- (no CPE)range: < 9.0.1234-17.12.1
- (no CPE)range: < 9.0.1234-17.12.1
- (no CPE)range: < 9.0.1040-150000.5.31.1
- (no CPE)range: < 9.0.1040-150000.5.31.1
- (no CPE)range: < 9.0.1040-150000.5.31.1
- (no CPE)range: < 9.0.1234-17.12.1
- (no CPE)range: < 9.0.1234-17.12.1
- (no CPE)range: < 9.0.1040-150000.5.31.1
- (no CPE)range: < 9.0.1040-150000.5.31.1
- (no CPE)range: < 9.0.1040-150000.5.31.1
- (no CPE)range: < 9.0.1040-150000.5.31.1
- (no CPE)range: < 9.0.1040-150000.5.31.1
- (no CPE)range: < 9.0.1040-150000.5.31.1
- (no CPE)range: < 9.0.1040-150000.5.31.1
- (no CPE)range: < 9.0.1040-150000.5.31.1
- (no CPE)range: < 9.0.1040-150000.5.31.1
- (no CPE)range: < 9.0.1234-17.12.1
- (no CPE)range: < 9.0.1234-17.12.1

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AZ3JMSUCR6Y7626RDWQ2HNSUFIQOJ33G/mitrevendor-advisory
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V6ZNKVN4GICORTVFKVCM4MSOXCYWNHUC/mitrevendor-advisory
security.gentoo.org/glsa/202305-16mitrevendor-advisory
lists.debian.org/debian-lts-announce/2023/06/msg00015.htmlmitremailing-list
github.com/vim/vim/commit/cc762a48d42b579fb7bdec2c614636b830342dd5mitre
huntr.dev/bounties/20ece512-c600-45ac-8a84-d0931e05541fmitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000