heap-buffer-overflow in Vim
Description
A heap-buffer-overflow in Vim versions 9.1.0038 to 9.1.0706 due to invalid cursor position after an optimization patch.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A heap-buffer-overflow in Vim versions 9.1.0038 to 9.1.0706 due to invalid cursor position after an optimization patch.
Vulnerability
Vim versions between v9.1.0038 and v9.1.0706 (inclusive) are affected by a heap-buffer-overflow vulnerability. Patch v9.1.0038 optimized cursor position calculation by removing a loop that verified the cursor always pointed inside a line. This removal can lead to the cursor pointing beyond the end of a line, causing a heap-buffer-overflow when accessing the line pointer at that position [1]. The exact conditions leading to an invalid cursor position are not yet fully understood [1].
Exploitation
The specific attack vector is unclear; no test case was included in the fix. The only observed occurrences have been during fuzzing with specially crafted files, not during normal editing sessions [1]. An attacker would likely need to supply a crafted file that triggers the invalid cursor state, potentially through pasted content or specific editing sequences [1].
Impact
The impact is limited to a program crash (denial of service) [1]. The Vim project rates the severity as low because only crashes from fuzzing have been seen, with no evidence of arbitrary code execution or data corruption [1].
Mitigation
Users should upgrade to Vim patch v9.1.0707 or later, which fixes the issue by adding a bounds check on the cursor column position [1][3]. No workaround is available for unpatched versions [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
22- osv-coords20 versionspkg:apk/chainguard/vimpkg:apk/chainguard/vim-docpkg:apk/wolfi/vimpkg:apk/wolfi/vim-docpkg:deb/ubuntu/vim?arch=src?distro=esm-infra/bionicpkg:deb/ubuntu/vim?arch=src?distro=esm-infra/xenialpkg:deb/ubuntu/vim?arch=src?distro=focalpkg:deb/ubuntu/vim?arch=src?distro=jammypkg:deb/ubuntu/vim?arch=src?distro=noblepkg:deb/ubuntu/vim?arch=src?distro=trusty/esmpkg:rpm/opensuse/vim&distro=openSUSE%20Leap%2015.6pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Micro%205.1pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Micro%205.2pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Micro%205.3pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Micro%205.4pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Micro%205.5pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP6pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP6pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%20LTSS%20Extended%20Security%2012%20SP5pkg:rpm/suse/vim&distro=SUSE%20Linux%20Micro%206.0
< 9.1.0718-r0+ 19 more
- (no CPE)range: < 9.1.0718-r0
- (no CPE)range: < 9.1.0718-r0
- (no CPE)range: < 9.1.0718-r0
- (no CPE)range: < 9.1.0718-r0
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: < 9.1.1101-150500.20.21.1
- (no CPE)range: < 9.1.1101-150000.5.69.1
- (no CPE)range: < 9.1.1101-150000.5.69.1
- (no CPE)range: < 9.1.1101-150000.5.69.1
- (no CPE)range: < 9.1.1101-150000.5.69.1
- (no CPE)range: < 9.1.1101-150500.20.21.1
- (no CPE)range: < 9.1.1101-150500.20.21.1
- (no CPE)range: < 9.1.1101-150500.20.21.1
- (no CPE)range: < 9.1.1101-17.41.1
- (no CPE)range: < 9.1.1101-1.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"A removed loop that validated cursor position allowed it to become invalid, leading to a heap-buffer-overflow."
Attack vector
The vulnerability is triggered when the cursor position becomes invalid, pointing beyond the end of a line. This situation can arise after patch v9.1.0038 optimized cursor position calculation and removed a validation loop. The exact conditions leading to an invalid cursor position are not fully understood, and the observed impact has been a program crash rather than a security compromise during editing sessions [ref_id=1].
Affected code
The vulnerability stems from changes made in patch v9.1.0038, which optimized cursor position calculation and removed a validation loop. This resulted in the cursor position potentially remaining invalid, leading to a heap-buffer-overflow when accessing the line pointer at the specified cursor position. The issue is described as occurring within functions related to editing and character insertion, as indicated by ASAN output referencing `ins_char_bytes` and `bracketed_paste` [ref_id=1].
What the fix does
Patch v9.1.0707 reintroduces the validation loop that was removed in v9.1.0038. This loop ensures that the cursor position always points inside a line and does not become invalid by pointing beyond the end of a line, thereby preventing the heap-buffer-overflow condition [ref_id=1].
Generated on Jun 6, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- github.com/vim/vim/commit/396fd1ec2956307755392a1mitrex_refsource_MISC
- github.com/vim/vim/releases/tag/v9.1.0038mitrex_refsource_MISC
- github.com/vim/vim/security/advisories/GHSA-wxf9-c5gx-qrwrmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.