Vim has heap-use-after-free at /src/charset.c:1770:12 in skipwhite
Description
Vim versions prior to 9.0.2121 contain a heap-use-after-free in ex_substitute when a recursive :s command frees memory later accessed by the initial :s, potentially causing a crash.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Vim versions prior to 9.0.2121 contain a heap-use-after-free in ex_substitute when a recursive :s command frees memory later accessed by the initial :s, potentially causing a crash.
Vulnerability
Vim versions prior to 9.0.2121 contain a heap-use-after-free vulnerability in the ex_substitute() function. The bug is triggered when a user executes a :s substitution command for the first time in a session and includes a sub-replace-special atom (e.g., ~\=) that causes a recursive :s call. The recursive call can free memory that the initial call later accesses, leading to a use-after-free condition [1][2][4].
Exploitation
Exploitation requires the user to run a crafted :s command as the first substitution in a Vim session. The command must contain a sub-replace-special atom that invokes a recursive substitution, causing the use-after-free. The attacker must convince the user to open a malicious file or execute the command directly. The process is delicate and may not always succeed, but can result in a crash [1][4].
Impact
Successful exploitation leads to a heap-use-after-free, which can cause Vim to crash or potentially allow arbitrary code execution if the freed memory is controlled. The impact is considered low because the attacker requires user interaction and the exploitation is tricky to reproduce reliably [1][4].
Mitigation
The vulnerability is fixed in Vim version 9.0.2121 [2]. Users should update to this version or later. No workaround is available for unpatched versions. The issue is not listed in CISA's Known Exploited Vulnerabilities catalog as of publication [1][4].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
27- osv-coords25 versionspkg:rpm/opensuse/vim&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/vim&distro=openSUSE%20Leap%20Micro%205.3pkg:rpm/opensuse/vim&distro=openSUSE%20Leap%20Micro%205.4pkg:rpm/suse/vim&distro=SUSE%20Enterprise%20Storage%207.1pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-ESPOSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Micro%205.1pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Micro%205.2pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Micro%205.3pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Micro%205.4pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Micro%205.5pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP5pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP5pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP3-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP4-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP3pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP4pkg:rpm/suse/vim&distro=SUSE%20Manager%20Proxy%204.3pkg:rpm/suse/vim&distro=SUSE%20Manager%20Server%204.3
< 9.1.0111-150500.20.9.1+ 24 more
- (no CPE)range: < 9.1.0111-150500.20.9.1
- (no CPE)range: < 9.1.0111-150000.5.60.1
- (no CPE)range: < 9.1.0111-150000.5.60.1
- (no CPE)range: < 9.1.0111-150000.5.60.1
- (no CPE)range: < 9.1.0111-150000.5.60.1
- (no CPE)range: < 9.1.0111-150000.5.60.1
- (no CPE)range: < 9.1.0111-150000.5.60.1
- (no CPE)range: < 9.1.0111-150000.5.60.1
- (no CPE)range: < 9.1.0111-150000.5.60.1
- (no CPE)range: < 9.1.0111-150000.5.60.1
- (no CPE)range: < 9.1.0111-150000.5.60.1
- (no CPE)range: < 9.1.0111-150000.5.60.1
- (no CPE)range: < 9.1.0111-150500.20.9.1
- (no CPE)range: < 9.1.0111-150500.20.9.1
- (no CPE)range: < 9.1.0111-150500.20.9.1
- (no CPE)range: < 9.1.0111-17.29.1
- (no CPE)range: < 9.1.0111-150000.5.60.1
- (no CPE)range: < 9.1.0111-150000.5.60.1
- (no CPE)range: < 9.1.0111-150000.5.60.1
- (no CPE)range: < 9.1.0111-17.29.1
- (no CPE)range: < 9.1.0111-150000.5.60.1
- (no CPE)range: < 9.1.0111-150000.5.60.1
- (no CPE)range: < 9.1.0111-150000.5.60.1
- (no CPE)range: < 9.1.0111-150000.5.60.1
- (no CPE)range: < 9.1.0111-150000.5.60.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- github.com/gandalf4a/crash_report/blob/main/vim/vim_huafmitrex_refsource_MISC
- github.com/vim/vim/commit/26c11c56888d01e298cd8044caf860f3c26f57bbmitrex_refsource_MISC
- github.com/vim/vim/pull/13552mitrex_refsource_MISC
- github.com/vim/vim/security/advisories/GHSA-c8qm-x72m-q53qmitrex_refsource_CONFIRM
- www.openwall.com/lists/oss-security/2023/11/22/3mitre
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DNMFS3IH74KEMMESOA3EOB6MZ56TWGFF/mitre
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IVA7K73WHQH4KVFDJQ7ELIUD2WK5ZT5E/mitre
- security.netapp.com/advisory/ntap-20240105-0001/mitre
News mentions
0No linked articles in our index yet.