Use After Free in vim/vim
Description
Vim before v9.0.2010 has a use-after-free in buf_contents_changed() that can be triggered by autocommands, potentially causing heap corruption.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Vim before v9.0.2010 has a use-after-free in buf_contents_changed() that can be triggered by autocommands, potentially causing heap corruption.
Vulnerability
A use-after-free vulnerability exists in buf_contents_changed() in Vim prior to v9.0.2010 [1]. The function compares the current buffer's content with the file on disk, but during this operation autocommands can execute and wipe or free the buffer that is being accessed, leading to a use-after-free [1].
Exploitation
An attacker would need to craft a file that, when opened in Vim, triggers a sequence of autocommands that execute during the buf_contents_changed() call [1]. The autocommands can cause the buffer to be wiped, while the function continues to use the freed memory [1]. No special network position or authentication is required if the victim opens the malicious file.
Impact
Successful exploitation results in heap memory corruption [1]. Depending on the heap layout and the freed memory content, this could lead to a crash or potentially arbitrary code execution. The victim's Vim session would be compromised, and the attacker could read or modify files that Vim has access to.
Mitigation
Update to Vim v9.0.2010 or later, which includes the fix that blocks autocommands during the buffer comparison [1]. The fix adds block_autocmds() and unblock_autocmds() calls around the critical section in buf_contents_changed() [1]. Fedora has also released package updates containing the patched version [2][3][4].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
28- osv-coords26 versionspkg:rpm/opensuse/vim&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/vim&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/vim&distro=openSUSE%20Leap%20Micro%205.3pkg:rpm/opensuse/vim&distro=openSUSE%20Leap%20Micro%205.4pkg:rpm/suse/vim&distro=SUSE%20Enterprise%20Storage%207.1pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-ESPOSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Micro%205.1pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Micro%205.2pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Micro%205.3pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Micro%205.4pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Micro%205.5pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP4pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP5pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP4pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP5pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP3-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP3
< 9.0.2103-150000.5.57.1+ 25 more
- (no CPE)range: < 9.0.2103-150000.5.57.1
- (no CPE)range: < 9.0.2103-150500.20.6.1
- (no CPE)range: < 9.0.2103-150000.5.57.1
- (no CPE)range: < 9.0.2103-150000.5.57.1
- (no CPE)range: < 9.0.2103-150000.5.57.1
- (no CPE)range: < 9.0.2103-150000.5.57.1
- (no CPE)range: < 9.0.2103-150000.5.57.1
- (no CPE)range: < 9.0.2103-150000.5.57.1
- (no CPE)range: < 9.0.2103-150000.5.57.1
- (no CPE)range: < 9.0.2103-150000.5.57.1
- (no CPE)range: < 9.0.2103-150000.5.57.1
- (no CPE)range: < 9.0.2103-150000.5.57.1
- (no CPE)range: < 9.0.2103-150000.5.57.1
- (no CPE)range: < 9.0.2103-150500.20.6.1
- (no CPE)range: < 9.0.2103-150000.5.57.1
- (no CPE)range: < 9.0.2103-150500.20.6.1
- (no CPE)range: < 9.0.2103-150000.5.57.1
- (no CPE)range: < 9.0.2103-150500.20.6.1
- (no CPE)range: < 9.0.2103-17.26.1
- (no CPE)range: < 9.0.2103-150000.5.57.1
- (no CPE)range: < 9.0.2103-150000.5.57.1
- (no CPE)range: < 9.0.2103-150000.5.57.1
- (no CPE)range: < 9.0.2103-17.26.1
- (no CPE)range: < 9.0.2103-150000.5.57.1
- (no CPE)range: < 9.0.2103-150000.5.57.1
- (no CPE)range: < 9.0.2103-150000.5.57.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/vim/vim/commit/41e6f7d6ba67b61d911f9b1d76325cd79224753dmitre
- huntr.dev/bounties/2c2d85a7-1171-4014-bf7f-a2451745861fmitre
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VDDWD25AZIHBAA44HQT75OWLQ5UMDKU3/mitre
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VGTVLUV7UCXXCZAIQIUCLG6JXAVYT3HE/mitre
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XPT7NMYJRLBPIALGSE24UWTY6F774GZW/mitre
News mentions
0No linked articles in our index yet.