Use After Free in vim/vim
Description
Vim prior to 9.0.1840 contains a use-after-free vulnerability in do_ecmd that can be exploited by opening a crafted file to cause a crash or arbitrary code execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Vim prior to 9.0.1840 contains a use-after-free vulnerability in do_ecmd that can be exploited by opening a crafted file to cause a crash or arbitrary code execution.
Vulnerability
The use-after-free vulnerability exists in the do_ecmd function of Vim versions prior to 9.0.1840. The bug occurs when resetting visual mode before switching buffers; an autocommand triggered by ModeChanged can free the window (oldwin), leading to a use-after-free condition when oldwin is later dereferenced without a validity check [2].
Exploitation
An attacker can exploit this vulnerability by crafting a malicious file that, when opened with Vim, triggers the vulnerable code path. The user must open the file using Vim (e.g., by running vim malicious_file). No authentication or special privileges are required beyond normal file access. The exploit utilizes autocommands that fire during buffer switching to free the window structure, causing the use-after-free.
Impact
Successful exploitation can lead to arbitrary code execution or unexpected termination of Vim. The impact is limited to the application context, but if Vim is used in elevated environments (e.g., editing system files with sudo), code execution could lead to privilege escalation.
Mitigation
The vulnerability is fixed in Vim version 9.0.1840, released on September 3, 2023 [2]. Users should update to this version or later. No workarounds are available; applying the patch is the recommended action. Linux distributions such as Fedora have issued package updates, though the specific advisories are not fully accessible.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
28- osv-coords26 versionspkg:rpm/opensuse/vim&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/vim&distro=openSUSE%20Leap%2015.5pkg:rpm/suse/vim&distro=SUSE%20Enterprise%20Storage%207.1pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-ESPOSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Micro%205.1pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Micro%205.2pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Micro%205.3pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Micro%205.4pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Micro%205.5pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP4pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP5pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP4pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP5pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP3-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP3pkg:rpm/suse/vim&distro=SUSE%20Manager%20Proxy%204.2pkg:rpm/suse/vim&distro=SUSE%20Manager%20Server%204.2
< 9.0.1894-150000.5.54.1+ 25 more
- (no CPE)range: < 9.0.1894-150000.5.54.1
- (no CPE)range: < 9.0.2103-150500.20.6.1
- (no CPE)range: < 9.0.1894-150000.5.54.1
- (no CPE)range: < 9.0.1894-150000.5.54.1
- (no CPE)range: < 9.0.1894-150000.5.54.1
- (no CPE)range: < 9.0.1894-150000.5.54.1
- (no CPE)range: < 9.0.1894-150000.5.54.1
- (no CPE)range: < 9.0.1894-150000.5.54.1
- (no CPE)range: < 9.0.1894-150000.5.54.1
- (no CPE)range: < 9.0.1894-150000.5.54.1
- (no CPE)range: < 9.0.1894-150000.5.54.1
- (no CPE)range: < 9.0.2103-150500.20.6.1
- (no CPE)range: < 9.0.1894-150000.5.54.1
- (no CPE)range: < 9.0.2103-150500.20.6.1
- (no CPE)range: < 9.0.1894-150000.5.54.1
- (no CPE)range: < 9.0.2103-150500.20.6.1
- (no CPE)range: < 9.0.1894-17.23.2
- (no CPE)range: < 9.0.1894-150000.5.54.1
- (no CPE)range: < 9.0.1894-150000.5.54.1
- (no CPE)range: < 9.0.1894-150000.5.54.1
- (no CPE)range: < 9.0.1894-17.23.2
- (no CPE)range: < 9.0.1894-150000.5.54.1
- (no CPE)range: < 9.0.1894-150000.5.54.1
- (no CPE)range: < 9.0.1894-150000.5.54.1
- (no CPE)range: < 9.0.1894-150000.5.54.1
- (no CPE)range: < 9.0.1894-150000.5.54.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- seclists.org/fulldisclosure/2023/Oct/24mitre
- github.com/vim/vim/commit/e1dc9a627536304bc4f738c21e909ad9fcf3974cmitre
- huntr.dev/bounties/1ce1fd8c-050a-4373-8004-b35b61590217mitre
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I56ITJAFMFAQ2G3BMGTCGM3GS62V2DTR/mitre
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ITRVK4FB74RZDIGTZJXOZMUW6X6F4TNF/mitre
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PFE3LDFRZ7EGWA5AU7YHYL62ELBOFZWQ/mitre
- support.apple.com/kb/HT213984mitre
News mentions
0No linked articles in our index yet.