VYPR
← All advisories
Unrated severityNVD Advisory· Published Aug 1, 2024· Updated Nov 15, 2024

Vim < v9.1.0648 has a double-free in dialog_changed()

CVE-2024-41965

Description

Double-free vulnerability in Vim's dialog_changed() when saving a modified unnamed buffer, leading to potential crash.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Double-free vulnerability in Vim's dialog_changed() when saving a modified unnamed buffer, leading to potential crash.

Vulnerability

A double-free vulnerability exists in Vim versions prior to v9.1.0648 in the dialog_changed() function. When a user abandons a modified buffer that has no name, Vim prompts the user to save. If the user chooses to save, Vim creates a new Untitled file and sets the buffer name to "Unnamed". During this process, a pointer is freed twice, leading to a double-free and potential heap-use-after-free. The issue is fixed in patch v9.1.0648 [1][2].

Exploitation

An attacker would need to trick a user into opening a crafted file or script that triggers the vulnerable code path. The user must interact by choosing to save a modified unnamed buffer. No special network position or authentication is required beyond local access to Vim. The exploit sequence involves causing Vim to call dialog_changed() with a buffer that has no name, then selecting the save option, which triggers the double-free [1].

Impact

Successful exploitation can lead to a crash of Vim due to heap-use-after-free. In some cases, this could potentially be leveraged for arbitrary code execution, though the advisory notes the primary impact is a crash. The vulnerability is classified as low severity [1].

Mitigation

The vulnerability is fixed in Vim patch v9.1.0648, released on 2024-08-01. Users should update to Vim v9.1.0648 or later. No workaround is available; updating is the recommended mitigation [1][2].

References
  1. double-free in dialog_changed() in Vim < v9.1.0648
  2. patch 9.1.0648: [security] double-free in dialog_changed() · vim/vim@b29f4ab

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

29

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"The dialog_changed() function in Vim incorrectly frees a pointer twice when handling modified, unnamed buffers."

Attack vector

An attacker can trigger this vulnerability by abandoning a modified buffer that does not have a name. If the user chooses to save the buffer, Vim may attempt to create a new untitled file. During this process, setting the buffer name to 'Unnamed' causes the double-free condition. This can lead to a heap-use-after-free vulnerability, potentially resulting in a crash [ref_id=1].

Affected code

The vulnerability lies within the `dialog_changed()` function in Vim. The specific lines involved in the double-free are related to clearing buffer filenames, particularly when the buffer name is set to 'Unnamed' [ref_id=1, ref_id=2]. The commit details show modifications around lines 197-205 in `ex_cmds.c` [ref_id=2].

What the fix does

The patch introduces a check to prevent the double-free. Specifically, it verifies if `buf->b_sfname` is different from `buf->b_ffname` before clearing `buf->b_sfname`. This ensures that `VIM_CLEAR(buf->b_fname)` and `VIM_CLEAR(buf->b_sfname)` are not called on the same pointer when the buffer name is set to 'Unnamed', thus resolving the double-free vulnerability [ref_id=2].

Preconditions

  • inputThe user must abandon a modified buffer that does not have a name.
  • inputThe user must choose to save the modified buffer when prompted.

Generated on Jun 7, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.