use-after-free when closing buffers in Vim

Vulnerability

A use-after-free vulnerability exists in Vim versions prior to 9.1.0764 [1]. When a buffer visible in a window is closed, a BufWinLeave autocommand can cause the buffer to be freed while still referenced, if the autocommand re-opens the same buffer in a new split window. Vim detects simple cases such as au BufWinLeave foobar :vsp foobar and aborts with E1159, but a more complex sequence (editing another file then splitting to re-edit the original) can bypass this check and confuse reference counting, leading to a use-after-free [1]. The issue is triggered only when a user intentionally configures such an autocommand and runs buffer unload commands [1][2].

Exploitation

An attacker needs to craft a BufWinLeave autocommand that, when triggered during buffer close, executes a sequence like :e dummy | vsp originalbuffer. This causes Vim to free the buffer structure while it is still referenced in another window [1]. The user must set up this autocommand in their configuration (e.g., in .vimrc or via an -S script) and then close the buffer (e.g., with :bw) [1][2]. No network access or special privileges are required, only local ability to run Vim with the malicious configuration [1].

Impact

Successful exploitation leads to a use-after-free, which typically causes a crash (denial of service) [1][2]. The advisory rates impact as low because it requires the user to have intentionally set up a strange autocommand [1]. However, in theory, a crafted autocommand could lead to memory corruption beyond a crash, though no such exploit is demonstrated in the references [1][2].

Mitigation

The vulnerability is fixed in Vim version 9.1.0764, released on October 6, 2024 [1][2]. Users should upgrade to this version or later. There are no known workarounds [1]. The patch adds a buf_locked() function and checks to abort if the buffer is locked during do_ecmd, preventing the use-after-free [2].