Vim heap-use-after-free in src/arglist.c:207
Description
Vim before 9.1.0678 has a use-after-free in argument list handling when autocommands close the buffer being added.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Vim before 9.1.0678 has a use-after-free in argument list handling when autocommands close the buffer being added.
Vulnerability
Vim versions prior to 9.1.0678 contain a use-after-free vulnerability in the argument list handling (alist_add()). When adding a new file to the argument list, Buf* autocommands are triggered. If an autocommand closes the buffer that was just opened (including its window), the window structure is freed, which contains a reference to the argument list being modified. After autocommands complete, the references become invalid, leading to a use-after-free [1][2].
Exploitation
An attacker needs to either intentionally add unusual autocommands that wipe a buffer during creation or source a malicious plugin that does so. The user must have autocommands enabled and trigger the addition of a file to the argument list while such autocommands are active. No special network position or authentication is required beyond local access to Vim [1].
Impact
Successful exploitation results in a crash of Vim (denial of service). The impact is considered low because it requires specific user actions or a malicious plugin. No code execution or data disclosure is indicated in the available references [1].
Mitigation
The issue is fixed in Vim patch v9.1.0678 [1][2]. Users should update to this version or later. There is no known workaround; users should avoid sourcing untrusted plugins that define autocommands that close buffers during creation [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
17- osv-coords15 versionspkg:apk/chainguard/vimpkg:apk/chainguard/vim-docpkg:apk/wolfi/vimpkg:apk/wolfi/vim-docpkg:rpm/opensuse/vim&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/vim&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/vim&distro=openSUSE%20Leap%20Micro%205.5pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Micro%205.5pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP5pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP6pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP5pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP6pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%20LTSS%20Extended%20Security%2012%20SP5pkg:rpm/suse/vim&distro=SUSE%20Linux%20Micro%206.0
< 9.1.0686-r0+ 14 more
- (no CPE)range: < 9.1.0686-r0
- (no CPE)range: < 9.1.0686-r0
- (no CPE)range: < 9.1.0686-r0
- (no CPE)range: < 9.1.0686-r0
- (no CPE)range: < 9.1.0836-150500.20.15.1
- (no CPE)range: < 9.1.0836-150500.20.15.1
- (no CPE)range: < 9.1.0836-150500.20.15.1
- (no CPE)range: < 9.1.0836-150500.20.15.1
- (no CPE)range: < 9.1.0836-150500.20.15.1
- (no CPE)range: < 9.1.0836-150500.20.15.1
- (no CPE)range: < 9.1.0836-150500.20.15.1
- (no CPE)range: < 9.1.0836-150500.20.15.1
- (no CPE)range: < 9.1.0836-17.38.1
- (no CPE)range: < 9.1.0836-17.38.1
- (no CPE)range: < 9.1.1101-1.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"A use-after-free error occurs when a buffer is closed within an autocommand triggered during argument list modification."
Attack vector
An attacker must craft a malicious Vim plugin or manually configure unusual autocommands that close a buffer while it is being added to the argument list. This action, specifically within an autocommand that wipes the buffer, triggers the vulnerability. If the buffer that was just opened is closed during these autocommands, it leads to the window structure being freed while still referenced by the argument list. This results in a use-after-free condition when the autocommands complete [ref_id=1].
Affected code
The vulnerability resides in the argument list handling, specifically within the `alist_add()` function which can trigger autocommands. The issue is exposed when these autocommands call functions like `win_close()` or `close_windows()`. The patch modifies checks within `win_close()` and `close_windows()` to correctly identify locked windows, preventing the use-after-free [ref_id=1].
What the fix does
The patch modifies the `win_close` function and related checks to use `win_locked(wp)` instead of `wp->w_closing` [ref_id=1]. This change prevents autocommands from closing a window that is currently being processed or is locked. By ensuring that windows are not closed prematurely during argument list operations, the reference to the freed window structure is avoided, thus mitigating the use-after-free vulnerability.
Preconditions
- inputThe user must interact with Vim in a way that triggers autocommands during argument list modification, such as sourcing a malicious plugin or manually configuring specific autocommands.
Generated on Jun 6, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- github.com/vim/vim/commit/0a6e57b09bc8c76691b367a5babfb79b31b770e8mitrex_refsource_MISC
- github.com/vim/vim/security/advisories/GHSA-2w8m-443v-cgvwmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.