vim main.c memory corruption
Description
Vim up to 9.1.1096 crashes with memory corruption when --log points to an inaccessible path; fixed in 9.1.1097.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Vim up to 9.1.1096 crashes with memory corruption when --log points to an inaccessible path; fixed in 9.1.1097.
Vulnerability
A memory corruption vulnerability exists in Vim versions up to 9.1.1096 in the src/main.c file. The bug is triggered when the --log command-line argument is passed with a path that is inaccessible (e.g., a non-existent file). This leads to improper memory handling and a crash. The issue was reported in [1] and the fix is included in version 9.1.1097.
Exploitation
An attacker with local access can exploit this vulnerability by running Vim with a crafted --log argument that points to an inaccessible location. No special privileges or user interaction beyond launching the command are required. The steps involve compiling Vim with debug flags and executing vim --log /path/to/inaccessible/file, which results in a crash [1].
Impact
Successful exploitation causes memory corruption, leading to a denial of service via program crash. There is no indication of arbitrary code execution or information disclosure in the available references.
Mitigation
The vulnerability is fixed in Vim version 9.1.1097, released on 2025-02-12 [3]. The patch commit c5654b84480822817bb7b69ebc97c174c91185e9 reorganizes initialization to handle the inaccessible log file gracefully [2]. Users should upgrade to the patched version. No workarounds are documented.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
12- osv-coords10 versionspkg:rpm/opensuse/vim&distro=openSUSE%20Leap%2015.6pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Micro%205.1pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Micro%205.2pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Micro%205.3pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Micro%205.4pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Micro%205.5pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP6pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP6pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%20LTSS%20Extended%20Security%2012%20SP5pkg:rpm/suse/vim&distro=SUSE%20Linux%20Micro%206.0
< 9.1.1101-150500.20.21.1+ 9 more
- (no CPE)range: < 9.1.1101-150500.20.21.1
- (no CPE)range: < 9.1.1101-150000.5.69.1
- (no CPE)range: < 9.1.1101-150000.5.69.1
- (no CPE)range: < 9.1.1101-150000.5.69.1
- (no CPE)range: < 9.1.1101-150000.5.69.1
- (no CPE)range: < 9.1.1101-150500.20.21.1
- (no CPE)range: < 9.1.1101-150500.20.21.1
- (no CPE)range: < 9.1.1101-150500.20.21.1
- (no CPE)range: < 9.1.1101-17.41.1
- (no CPE)range: < 9.1.1101-1.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing initialization of error-messaging infrastructure before processing the --log option leads to a null-pointer dereference when the log file cannot be opened."
Attack vector
An attacker who can control the argument passed to vim's `--log` option can trigger a crash by supplying a path to an inaccessible or non-existent file. The attack is local: the user runs `vim --log /path/to/inaccessible/file` [ref_id=1]. When vim attempts to open the log file and fails, it calls error-reporting functions that dereference uninitialized global state, causing a segmentation fault [ref_id=1][ref_id=2].
Affected code
The vulnerability is in `src/main.c` and `src/logfile.c`. The crash occurs in `ch_logfile()` at `logfile.c:51` when it tries to emit an error message via `semsg()` for a failed `--log` file open, but the error-messaging infrastructure (estack, cmdline) has not yet been initialized because `common_init()` (which calls `estack_init()` and `cmdline_init()`) runs after the `--log` argument is processed [ref_id=2].
What the fix does
The patch splits `common_init()` into two parts: `common_init_1()` (which initializes estack, cmdline, and allocates generic buffers) and `common_init_2()` (which handles the remaining initialization that depends on `mparm_T`). The critical change is that `common_init_1()` is now called *before* the `--log` argument is parsed, so that when `ch_logfile()` fails and calls `emsg_core()`, the error-messaging infrastructure is already set up and no null-pointer dereference occurs [ref_id=2]. A regression test (`Test_log_nonexistent`) was added to verify that `--log /X/Xlogfile` no longer crashes [ref_id=2].
Preconditions
- inputThe attacker must be able to invoke vim with a --log argument pointing to an inaccessible or non-existent path.
- networkThe attack is local; no network access is required.
Reproduction
Compile vim at commit 68d0858 with `-g` and AddressSanitizer. Run `vim --log /path/to/inaccessible/file`. Vim will crash with a SIGSEGV in `get_emsg_lnum()` at `message.c:521` [ref_id=1].
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/vim/vim/commit/c5654b84480822817bb7b69ebc97c174c91185e9mitrepatch
- github.com/vim/vim/releases/tag/v9.1.1097mitrepatch
- vuldb.commitrethird-party-advisory
- github.com/vim/vim/issues/16606mitreissue-tracking
- vuldb.commitresignaturepermissions-required
- vuldb.commitrevdb-entrytechnical-description
News mentions
0No linked articles in our index yet.