Heap-based Buffer Overflow in vim/vim

Vulnerability

A heap-based buffer overflow vulnerability exists in the nv_scroll function in Vim prior to version 9.0.1189. When a user performs a cursor movement command (e.g., "L") on a line that is within a fold, the incomplete bounds check on curwin->w_cursor.lnum can cause it to be decremented below curwin->w_topline, leading to an out-of-bounds memory access. The issue arises because the code path for folding does not properly validate the cursor position after unfolding [2].

Exploitation

An attacker must be able to convince a Vim user to open a specially crafted file that causes the cursor to be positioned within a fold, then execute the "L" command (or another similar scroll command) to trigger the vulnerable code. No special network access or elevated privileges are required; the attack relies on user interaction [2]. The vulnerable code path is reached when hasFolding() returns a different line number and --curwin->w_cursor.lnum is performed without checking if it remains above curwin->w_topline [2].

Impact

Successful exploitation could lead to a heap-based buffer overflow, potentially allowing an attacker to cause a denial of service (application crash) or, in extreme cases, execute arbitrary code in the context of the Vim process. The impact is local to the user's session, with the attacker gaining the same privileges as the user running Vim [1][2].

Mitigation

The vulnerability is fixed in Vim version 9.0.1189, released on January 13, 2023 [2]. Users should update to the latest Vim version. Apple included the fix in macOS Ventura 13.3 as part of a broader security update [1]. No workaround is available, and the issue is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.