Out-of-bounds Write in vim/vim
Description
Out-of-bounds write in Vim's substitute command prior to 9.0.1145 allows memory corruption via crafted recursive substitute expressions.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Out-of-bounds write in Vim's substitute command prior to 9.0.1145 allows memory corruption via crafted recursive substitute expressions.
Vulnerability
An out-of-bounds write vulnerability exists in Vim's do_string_sub function, triggered during recursive substitute expressions. The flaw occurs when vim_regsub returns a sublen value of zero or negative, leading to invalid memory access. This affects Vim versions prior to 9.0.1145 [2].
Exploitation
An attacker can craft a file containing a recursive substitute expression (e.g., using :s/\%')/\=Repl(...)) that causes sublen to be non-positive. The user must open the malicious file in Vim and execute the substitute command. No authentication or special privileges are required beyond file access.
Impact
Successful exploitation results in an out-of-bounds write, potentially causing memory corruption. This can lead to denial of service or, in some cases, arbitrary code execution. The exact impact depends on the memory layout and the attacker's ability to control the overwritten data.
Mitigation
The vulnerability is fixed in Vim version 9.0.1145 [2]. Gentoo recommends upgrading to version 9.0.1157 or later [3]. No workaround is available; users should update their Vim installation immediately.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
18- osv-coords16 versionspkg:rpm/opensuse/vim&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/vim&distro=openSUSE%20Leap%20Micro%205.2pkg:rpm/opensuse/vim&distro=openSUSE%20Leap%20Micro%205.3pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Micro%205.1pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Micro%205.2pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Micro%205.3pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP4pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP4pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Real%20Time%2015%20SP3pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCLpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/vim&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/vim&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209
< 9.0.1234-150000.5.34.1+ 15 more
- (no CPE)range: < 9.0.1234-150000.5.34.1
- (no CPE)range: < 9.0.1234-150000.5.34.1
- (no CPE)range: < 9.0.1234-150000.5.34.1
- (no CPE)range: < 9.0.1234-150000.5.34.1
- (no CPE)range: < 9.0.1234-150000.5.34.1
- (no CPE)range: < 9.0.1234-150000.5.34.1
- (no CPE)range: < 9.0.1234-150000.5.34.1
- (no CPE)range: < 9.0.1234-150000.5.34.1
- (no CPE)range: < 9.0.1234-150000.5.34.1
- (no CPE)range: < 9.0.1234-17.12.1
- (no CPE)range: < 9.0.1234-17.12.1
- (no CPE)range: < 9.0.1234-17.12.1
- (no CPE)range: < 9.0.1234-17.12.1
- (no CPE)range: < 9.0.1234-17.12.1
- (no CPE)range: < 9.0.1234-17.12.1
- (no CPE)range: < 9.0.1234-17.12.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- security.gentoo.org/glsa/202305-16mitrevendor-advisory
- seclists.org/fulldisclosure/2023/Mar/17mitremailing-list
- lists.debian.org/debian-lts-announce/2023/06/msg00015.htmlmitremailing-list
- github.com/vim/vim/commit/3ac1d97a1d9353490493d30088256360435f7731mitre
- huntr.dev/bounties/b289ee0f-fd16-4147-bd01-c6289c45e49dmitre
- support.apple.com/kb/HT213670mitre
News mentions
0No linked articles in our index yet.