Use After Free in vim/vim
Description
A use-after-free in Vim's quickfix window handling (is_qf_win) before 9.0.1857 can lead to arbitrary code execution via a crafted file.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A use-after-free in Vim's quickfix window handling (is_qf_win) before 9.0.1857 can lead to arbitrary code execution via a crafted file.
Vulnerability
A use-after-free vulnerability exists in the is_qf_win() function in Vim prior to version 9.0.1857 [2]. The bug is triggered in the quickfix window handling code when processing a specially crafted file, causing a heap-use-after-free condition [2]. All versions before the fix are affected.
Exploitation
An attacker can exploit this by crafting a malicious file that, when opened by a victim in Vim, triggers the use-after-free in is_qf_win() [2]. No special privileges are required beyond the ability to convince the victim to open the file. The Vim project's test case demonstrates the crash using a proof-of-concept file [2].
Impact
Successful exploitation can lead to arbitrary code execution in the context of the Vim process [1]. The impact may also include unexpected application termination (denial of service) [1]. The attacker could potentially execute arbitrary commands or compromise the system if Vim is running with elevated privileges.
Mitigation
The vulnerability is fixed in Vim version 9.0.1857, released as part of the patch series [2]. Users should update to the latest version. Apple included the fix in macOS Sonoma 14.1 [1]. Fedora package announcements were made [3][4], but the content is unavailable; users should apply updates from their distribution. No workaround is described; updating is the recommended mitigation.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
27- osv-coords25 versionspkg:rpm/opensuse/vim&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/vim&distro=openSUSE%20Leap%20Micro%205.3pkg:rpm/opensuse/vim&distro=openSUSE%20Leap%20Micro%205.4pkg:rpm/suse/vim&distro=SUSE%20Enterprise%20Storage%207.1pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-ESPOSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Micro%205.1pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Micro%205.2pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Micro%205.3pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Micro%205.4pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Micro%205.5pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP5pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP5pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP3-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP4-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP3pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP4pkg:rpm/suse/vim&distro=SUSE%20Manager%20Proxy%204.3pkg:rpm/suse/vim&distro=SUSE%20Manager%20Server%204.3
< 9.1.0111-150500.20.9.1+ 24 more
- (no CPE)range: < 9.1.0111-150500.20.9.1
- (no CPE)range: < 9.1.0111-150000.5.60.1
- (no CPE)range: < 9.1.0111-150000.5.60.1
- (no CPE)range: < 9.1.0111-150000.5.60.1
- (no CPE)range: < 9.1.0111-150000.5.60.1
- (no CPE)range: < 9.1.0111-150000.5.60.1
- (no CPE)range: < 9.1.0111-150000.5.60.1
- (no CPE)range: < 9.1.0111-150000.5.60.1
- (no CPE)range: < 9.1.0111-150000.5.60.1
- (no CPE)range: < 9.1.0111-150000.5.60.1
- (no CPE)range: < 9.1.0111-150000.5.60.1
- (no CPE)range: < 9.1.0111-150000.5.60.1
- (no CPE)range: < 9.1.0111-150500.20.9.1
- (no CPE)range: < 9.1.0111-150500.20.9.1
- (no CPE)range: < 9.1.0111-150500.20.9.1
- (no CPE)range: < 9.1.0111-17.29.1
- (no CPE)range: < 9.1.0111-150000.5.60.1
- (no CPE)range: < 9.1.0111-150000.5.60.1
- (no CPE)range: < 9.1.0111-150000.5.60.1
- (no CPE)range: < 9.1.0111-17.29.1
- (no CPE)range: < 9.1.0111-150000.5.60.1
- (no CPE)range: < 9.1.0111-150000.5.60.1
- (no CPE)range: < 9.1.0111-150000.5.60.1
- (no CPE)range: < 9.1.0111-150000.5.60.1
- (no CPE)range: < 9.1.0111-150000.5.60.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- seclists.org/fulldisclosure/2023/Oct/24mitre
- github.com/vim/vim/commit/fc68299d436cf87453e432daa77b6d545df4d7edmitre
- huntr.dev/bounties/1ab3ebdf-fe7d-4436-b483-9a586e03b0eamitre
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I56ITJAFMFAQ2G3BMGTCGM3GS62V2DTR/mitre
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ITRVK4FB74RZDIGTZJXOZMUW6X6F4TNF/mitre
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PFE3LDFRZ7EGWA5AU7YHYL62ELBOFZWQ/mitre
- support.apple.com/kb/HT213984mitre
News mentions
0No linked articles in our index yet.