NULL Pointer Dereference in vim/vim

Vulnerability

A NULL pointer dereference vulnerability exists in the Vim text editor prior to version 9.0.1402. The flaw resides in the class_object_index function in src/eval.c [2]. When the Vim9 script feature is enabled and a script attempts to access a member of a null class (e.g., null_class.member), the code does not check if the class pointer (cl) is NULL before dereferencing it, leading to a crash. The crash is reproducible using a script line such as null_class.member in a Vim9 context [2]. Affected versions include all prior to 9.0.1402.

Exploitation

An attacker would need to convince a user or a system running a vulnerable Vim instance to execute a specially crafted Vim9 script that accesses a member of null_class [2]. This could be achieved via social engineering or by tricking the user into opening a file with the malicious script as part of its content (e.g., a modeline or autoload script). No additional network position or authentication is required beyond the ability to run the script in a Vim session [1], [3].

Impact

Successful exploitation causes a denial-of-service (DoS) condition by crashing the Vim process. The vulnerability does not directly lead to information disclosure or remote code execution, as the impact is limited to a NULL pointer dereference segfault [2], [3]. The attacker gains no elevated privilege or persistent compromise beyond the termination of the editor session.

Mitigation

The vulnerability is fixed in Vim version 9.0.1402, released on 2023-03-11 [2]. Users should update to this version or later. For systems where updating is not immediately possible, avoid running untrusted Vim9 scripts that contain references to null_class as a workaround [3]. No other workarounds are documented in the available references.