heap-buffer-overflow in do_search() in Vim < 9.1.0689
Description
A heap-buffer-overflow in Vim's do_search() when right-left mode and search count message are enabled with patterns containing ASCII NUL bytes.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A heap-buffer-overflow in Vim's do_search() when right-left mode and search count message are enabled with patterns containing ASCII NUL bytes.
Vulnerability
A heap-buffer-overflow vulnerability exists in Vim's do_search() function in versions between v9.1.0425 and v9.1.0689 [1]. When the search-count message is disabled via :set shm+=S and right-left mode is enabled via :set rl, the search pattern is reversed into a new buffer. If the pattern contains ASCII NUL bytes, the strlen() function used for the reversed buffer allocation returns a shorter length than the original buffer, causing the original length indicator to be wrong. This leads to a heap-buffer-overflow when accessing characters in the msgbuf [1].
Exploitation
An attacker must craft a search pattern containing ASCII NUL bytes and persuade a victim to run Vim with both :set shm+=S and :set rl enabled, then perform a search [1]. The victim does not need any special privileges or network access, as this occurs locally when editing a file. The attacker can supply the pattern through a malicious file or command [1].
Impact
Successful exploitation causes a heap-buffer-overflow, typically resulting in a crash due to a read of invalid memory [1]. The impact is low because the required settings (shm+=S and rl) are not default and rarely used together, and the pattern must contain NUL bytes [1]. No code execution or privilege escalation is described in the references.
Mitigation
The issue is fixed in Vim patch v9.1.0689 [1]. Users should update to Vim version 9.1.0689 or later [2]. For users unable to update, avoid enabling both :set shm+=S and :set rl simultaneously, and do not open untrusted files that may cause such a search [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
17- osv-coords15 versionspkg:apk/chainguard/vimpkg:apk/chainguard/vim-docpkg:apk/wolfi/vimpkg:apk/wolfi/vim-docpkg:deb/ubuntu/vimpkg:rpm/opensuse/vim&distro=openSUSE%20Leap%2015.6pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Micro%205.1pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Micro%205.2pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Micro%205.3pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Micro%205.4pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Micro%205.5pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP6pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP6pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%20LTSS%20Extended%20Security%2012%20SP5pkg:rpm/suse/vim&distro=SUSE%20Linux%20Micro%206.0
< 9.1.0689-r0+ 14 more
- (no CPE)range: < 9.1.0689-r0
- (no CPE)range: < 9.1.0689-r0
- (no CPE)range: < 9.1.0689-r0
- (no CPE)range: < 9.1.0689-r0
- (no CPE)range: >= 0
- (no CPE)range: < 9.1.1101-150500.20.21.1
- (no CPE)range: < 9.1.1101-150000.5.69.1
- (no CPE)range: < 9.1.1101-150000.5.69.1
- (no CPE)range: < 9.1.1101-150000.5.69.1
- (no CPE)range: < 9.1.1101-150000.5.69.1
- (no CPE)range: < 9.1.1101-150500.20.21.1
- (no CPE)range: < 9.1.1101-150500.20.21.1
- (no CPE)range: < 9.1.1101-150500.20.21.1
- (no CPE)range: < 9.1.1101-17.41.1
- (no CPE)range: < 9.1.1101-1.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"A heap-based buffer overflow occurs in the `do_search` function due to incorrect length calculation when handling search patterns with NUL characters in right-left mode with search count disabled."
Attack vector
An attacker can trigger this vulnerability by performing a search operation in Vim. The preconditions include disabling the search-count message (:set shm+=S) and enabling right-left mode (:set rl). The search pattern must also contain ASCII NUL characters. This combination leads to an overflow when accessing characters within the message buffer (msgbuf) due to an incorrectly calculated length indicator [ref_id=1].
Affected code
The vulnerability resides within the `do_search()` function in Vim's `search.c` file. Specifically, the issue arises when allocating a new buffer for the reversed search pattern in right-left mode, where `strlen()` is used, leading to an incorrect length calculation if NUL characters are present [ref_id=1].
What the fix does
The patch recalculates the length of the msgbuf after it has been re-allocated, ensuring that the correct length is used for subsequent memory accesses. This prevents the heap-based buffer overflow that occurred when the search pattern contained NUL characters and right-left mode was enabled with search count disabled [ref_id=1]. The fix is included in Vim patch v9.1.0689 [ref_id=1].
Preconditions
- configSearch-count message is disabled (:set shm+=S).
- configRight-left mode is enabled (:set rl).
- inputThe search pattern contains ASCII NUL characters.
Generated on Jun 6, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- github.com/vim/vim/commit/cacb6693c10bb19f28a50eca47bcmitrex_refsource_MISC
- github.com/vim/vim/security/advisories/GHSA-v2x2-cjcg-f9jmmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.