overflow with count for :s command in vim
Description
Vim's :s command with a very large count can cause an integer overflow leading to potential crash; fixed in version 9.0.2108.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Vim's :s command with a very large count can cause an integer overflow leading to potential crash; fixed in version 9.0.2108.
Vulnerability
The vulnerability resides in Vim's :s (substitute) command when a numeric count larger than INT_MAX (2147483647) is supplied. Before the fix, Vim only verified that the count was positive but not that it fit within a signed long variable, causing an integer overflow that could lead to undefined behavior or a crash. Affected versions include all Vim releases prior to 9.0.2108 [1][2][3].
Exploitation
An attacker must trick a user into executing a command like :s///{very large count} in Vim, requiring user interaction. The attacker can craft a malicious file or social engineer the command. No special privileges are needed beyond normal Vim use. The overflow occurs during count parsing, and Vim may attempt to allocate or iterate based on the overflowed value [1][3].
Impact
The impact is low. Successful exploitation may cause a Vim crash, resulting in a denial of service. According to the advisory, a crash may not occur in all situations, and there is no evidence of code execution or data corruption [1][3].
Mitigation
The fix is included in Vim version 9.0.2108, released on 2023-11-15 approximately. Commit ac6378773 adds a check: if the count is >= INT_MAX, Vim aborts with error E1510 (value too large). Users should upgrade to 9.0.2108 or later. No workarounds are available [2][3].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
27- osv-coords25 versionspkg:rpm/opensuse/vim&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/vim&distro=openSUSE%20Leap%20Micro%205.3pkg:rpm/opensuse/vim&distro=openSUSE%20Leap%20Micro%205.4pkg:rpm/suse/vim&distro=SUSE%20Enterprise%20Storage%207.1pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-ESPOSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Micro%205.1pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Micro%205.2pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Micro%205.3pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Micro%205.4pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Micro%205.5pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP5pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP5pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP3-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP4-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP3pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP4pkg:rpm/suse/vim&distro=SUSE%20Manager%20Proxy%204.3pkg:rpm/suse/vim&distro=SUSE%20Manager%20Server%204.3
< 9.1.0111-150500.20.9.1+ 24 more
- (no CPE)range: < 9.1.0111-150500.20.9.1
- (no CPE)range: < 9.1.0111-150000.5.60.1
- (no CPE)range: < 9.1.0111-150000.5.60.1
- (no CPE)range: < 9.1.0111-150000.5.60.1
- (no CPE)range: < 9.1.0111-150000.5.60.1
- (no CPE)range: < 9.1.0111-150000.5.60.1
- (no CPE)range: < 9.1.0111-150000.5.60.1
- (no CPE)range: < 9.1.0111-150000.5.60.1
- (no CPE)range: < 9.1.0111-150000.5.60.1
- (no CPE)range: < 9.1.0111-150000.5.60.1
- (no CPE)range: < 9.1.0111-150000.5.60.1
- (no CPE)range: < 9.1.0111-150000.5.60.1
- (no CPE)range: < 9.1.0111-150500.20.9.1
- (no CPE)range: < 9.1.0111-150500.20.9.1
- (no CPE)range: < 9.1.0111-150500.20.9.1
- (no CPE)range: < 9.1.0111-17.29.1
- (no CPE)range: < 9.1.0111-150000.5.60.1
- (no CPE)range: < 9.1.0111-150000.5.60.1
- (no CPE)range: < 9.1.0111-150000.5.60.1
- (no CPE)range: < 9.1.0111-17.29.1
- (no CPE)range: < 9.1.0111-150000.5.60.1
- (no CPE)range: < 9.1.0111-150000.5.60.1
- (no CPE)range: < 9.1.0111-150000.5.60.1
- (no CPE)range: < 9.1.0111-150000.5.60.1
- (no CPE)range: < 9.1.0111-150000.5.60.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/vim/vim/commit/ac63787734fda2e294e477af52b3bd601517fa78mitrex_refsource_MISC
- github.com/vim/vim/security/advisories/GHSA-3xx4-hcq6-r2vjmitrex_refsource_CONFIRM
- www.openwall.com/lists/oss-security/2023/11/16/1mitre
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4UJAK2W5S7G75ETDAEM3BDUCVSXCEGRD/mitre
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M3VQF7CL3V6FGSEW37WNDFBRRILR65AK/mitre
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VNRNYLWXZOGTYWE5HMFNQ5FVE3HBUHF6/mitre
- security.netapp.com/advisory/ntap-20231227-0003/mitre
News mentions
0No linked articles in our index yet.