CVE-2024-22667

Vulnerability

In Vim versions prior to 9.0.2142, a stack-based buffer overflow exists in the option callback function did_set_langmap within map.c. The function illegal_char used sprintf to write error messages into a fixed-size buffer (errbuf) passed down through the option handling chain (set_string_option, did_set_string_option). Because no length checking was performed, supplying a crafted value for the langmap option could cause the error message to overflow the stack buffer. The fix replaces sprintf with snprintf and passes the buffer length explicitly [1][2].

Exploitation

An attacker requires the ability to set the langmap option, for example, by executing commands from a file or via the command line. The proof of concept uses Vim in headless mode (-e -s -S poc) to source a file containing a :set langmap=... command that triggers the overflow. No special privileges or user interaction beyond opening the crafted file is needed; the overflow occurs during option validation [2].

Impact

Successful exploitation can lead to a stack-based buffer overflow, potentially allowing an attacker to corrupt memory and achieve arbitrary code execution (RCE) or cause a denial of service (crash). The overflow is demonstrated with AddressSanitizer reporting a write of 142 bytes at the overflow site [2]. The exact impact depends on the memory layout and protections, but the vulnerability is classified as a buffer overflow with high severity.

Mitigation

The vulnerability is fixed in Vim version 9.0.2142. Users should upgrade to this version or later. The patch explicitly changes sprintf calls to snprintf and adds length parameters to protect against overflows [1]. No workaround is available; updating is the recommended action. The issue has been disclosed and patched upstream [1][2].