VYPR
← All advisories
Unrated severityNVD Advisory· Published May 9, 2023· Updated Nov 3, 2025

Integer Overflow or Wraparound in vim/vim

CVE-2023-2610

Description

An integer overflow in Vim's substitute command prior to 9.0.1532 can cause a crash or denial of service when expanding '~' with a long previous substitution string.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

An integer overflow in Vim's substitute command prior to 9.0.1532 can cause a crash or denial of service when expanding '~' with a long previous substitution string.

Vulnerability

An integer overflow or wraparound vulnerability exists in Vim's substitute command, affecting versions prior to 9.0.1532. The flaw resides in the regtilde() function in the regexp.c file. When the substitute pattern contains a ~ (tilde), which expands to the previous substitution string, Vim calculates the length of the new string by adding the length of the existing replacement text to the length of the previous substitution. Without proper bounds checking, an attacker can craft an input where the combined length exceeds MAXCOL, causing an integer overflow and leading to a heap-based buffer overflow. The fix, introduced in commit ab9a2d884b3a4abe319606ea95a5a6d6b01cd73a, adds a check to abort with an error message if prevsublen > MAXCOL, newsublen > MAXCOL, or newsublen + prevsublen > MAXCOL [3].

Exploitation

An attacker must be able to supply a crafted substitute command to Vim, typically by opening a malicious file or through other text input. The attacker first performs a substitution (e.g., :s/foo/bar/) to set the previous substitution string to a very long value (e.g., a string of A characters near MAXCOL size). Then, another substitution using ~ (e.g., :s/~/more/) triggers the overflow because the sum of the lengths of the replacement and the previous string exceeds MAXCOL. No special user interaction beyond executing the substitute command is required; the attacker must rely on the victim to process the malicious text.

Impact

Successful exploitation can cause a crash (denial of service). The vulnerability may also potentially allow arbitrary code execution, though the primary impact is a crash due to heap corruption. The overflow occurs during string concatenation, and the advisory from the Vim project lists this as a crash fix [3]. The privilege level required is that of the user running Vim; the attacker gains the ability to terminate the editor or corrupt memory.

Mitigation

Users should upgrade to Vim version 9.0.1532 or later, released on May 9, 2023 [3]. The fix adds an explicit length check to prevent the overflow. Users of Fedora and other Linux distributions can update via their package manager once the patched version is available [4]. Apple's security updates for macOS Monterey 12.6.8 and macOS Big Sur 11.7.9 reference unrelated CVEs and do not address this issue [1][2]. No workaround exists beyond avoiding untrusted substitute commands with tilde expansions. This CVE is not listed in CISA's Known Exploited Vulnerabilities catalog.

References
  1. About the security content of macOS Monterey 12.6.8 - Apple Support
  2. About the security content of macOS Big Sur 11.7.9 - Apple Support
  3. patch 9.0.1532: crash when expanding "~" in substitute causes very lo… · vim/vim@ab9a2d8
  4. Making sure you're not a bot!

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

32

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

6

News mentions

0

No linked articles in our index yet.