NULL Pointer Dereference in vim/vim
Description
A NULL pointer dereference in Vim's GUI scroll handler causes a crash when exmode is active; fixed in patch 9.0.1992.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A NULL pointer dereference in Vim's GUI scroll handler causes a crash when exmode is active; fixed in patch 9.0.1992.
Vulnerability
A NULL pointer dereference vulnerability exists in gui_do_scroll() in the Vim source code prior to commit 20d161ace307e28690229b68584f2d84556f8960 (patch 9.0.1992). The function gui_do_scroll() could be called while Vim is in exmode (when exmode_active is set), leading to a redraw attempt that uses invalid LineOffset and similar values. This triggers a NULL pointer dereference and a segfault. Affected versions are all Vim releases before the patch was applied.
Exploitation
An attacker must be able to supply a crafted file or input that causes Vim to enter exmode and then trigger a scroll event (e.g., pressing a scrollbar key in insert mode). The test case in the commit shows a sequence: entering insert mode and then pressing k_VerScrollbar while in exmode. No special network position or authentication is needed; the attack can be performed by a local user opening a malicious file.
Impact
Successful exploitation causes Vim to crash (denial of service) due to the NULL pointer dereference. There is no indication of code execution or information disclosure beyond the program termination. The crash occurs within the Vim process and does not elevate privileges.
Mitigation
The fix is included in Vim patch 9.0.1992, available in the commit 20d161ace307e28690229b68584f2d84556f8960 [1]. Users should update to Vim version containing this patch or later. The official source repository and likely downstream distros have applied the fix. No workaround is provided in the references; updating Vim is the recommended action.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
28- osv-coords26 versionspkg:rpm/opensuse/vim&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/vim&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/vim&distro=openSUSE%20Leap%20Micro%205.3pkg:rpm/opensuse/vim&distro=openSUSE%20Leap%20Micro%205.4pkg:rpm/suse/vim&distro=SUSE%20Enterprise%20Storage%207.1pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-ESPOSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Micro%205.1pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Micro%205.2pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Micro%205.3pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Micro%205.4pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Micro%205.5pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP4pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP5pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP4pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP5pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP3-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP3
< 9.0.2103-150000.5.57.1+ 25 more
- (no CPE)range: < 9.0.2103-150000.5.57.1
- (no CPE)range: < 9.0.2103-150500.20.6.1
- (no CPE)range: < 9.0.2103-150000.5.57.1
- (no CPE)range: < 9.0.2103-150000.5.57.1
- (no CPE)range: < 9.0.2103-150000.5.57.1
- (no CPE)range: < 9.0.2103-150000.5.57.1
- (no CPE)range: < 9.0.2103-150000.5.57.1
- (no CPE)range: < 9.0.2103-150000.5.57.1
- (no CPE)range: < 9.0.2103-150000.5.57.1
- (no CPE)range: < 9.0.2103-150000.5.57.1
- (no CPE)range: < 9.0.2103-150000.5.57.1
- (no CPE)range: < 9.0.2103-150000.5.57.1
- (no CPE)range: < 9.0.2103-150000.5.57.1
- (no CPE)range: < 9.0.2103-150500.20.6.1
- (no CPE)range: < 9.0.2103-150000.5.57.1
- (no CPE)range: < 9.0.2103-150500.20.6.1
- (no CPE)range: < 9.0.2103-150000.5.57.1
- (no CPE)range: < 9.0.2103-150500.20.6.1
- (no CPE)range: < 9.0.2103-17.26.1
- (no CPE)range: < 9.0.2103-150000.5.57.1
- (no CPE)range: < 9.0.2103-150000.5.57.1
- (no CPE)range: < 9.0.2103-150000.5.57.1
- (no CPE)range: < 9.0.2103-17.26.1
- (no CPE)range: < 9.0.2103-150000.5.57.1
- (no CPE)range: < 9.0.2103-150000.5.57.1
- (no CPE)range: < 9.0.2103-150000.5.57.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/vim/vim/commit/20d161ace307e28690229b68584f2d84556f8960mitre
- huntr.dev/bounties/b54cbdf5-3e85-458d-bb38-9ea2c0b669f2mitre
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VDDWD25AZIHBAA44HQT75OWLQ5UMDKU3/mitre
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VGTVLUV7UCXXCZAIQIUCLG6JXAVYT3HE/mitre
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XPT7NMYJRLBPIALGSE24UWTY6F774GZW/mitre
News mentions
0No linked articles in our index yet.