heap-buffer-overflow with visual mode in Vim < 9.1.1003
Description
Heap-buffer-overflow in Vim <9.1.1003 when using :all command with active visual mode leads to potential memory corruption.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Heap-buffer-overflow in Vim <9.1.1003 when using :all command with active visual mode leads to potential memory corruption.
Vulnerability
In Vim versions before 9.1.1003 (including patch 9.1.0938 and earlier), a heap-buffer overflow exists when executing the :all command while visual mode is active. The editor fails to properly terminate visual mode before switching buffers, causing it to access memory beyond the end of a line in the target buffer. The issue was reported by researcher gandalf4a and addressed in patch v9.1.1003 [1][2].
Exploitation
An attacker needs the user to have visual mode enabled and then execute the :all ex command. This can be triggered via a malicious script or sourced file. The provided proof-of-concept demonstrates reproduction with the command vim -u NONE -i NONE -n -m -X -Z -e -s -S ./vim_hbo_1272 -c ':qa!'. No authentication is required beyond local access to Vim [1].
Impact
Successful exploitation results in a heap-buffer overflow, which can lead to memory corruption, denial of service, or potentially arbitrary code execution. The severity is rated Medium because the user must have visual mode active when running :all [1].
Mitigation
The vulnerability is fixed in Vim patch v9.1.1003, released on January 11, 2025. Users should upgrade to at least this version. No workarounds have been provided. The issue is not currently listed in CISA's Known Exploited Vulnerabilities catalog [1][2].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
12- osv-coords10 versionspkg:rpm/opensuse/vim&distro=openSUSE%20Leap%2015.6pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Micro%205.1pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Micro%205.2pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Micro%205.3pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Micro%205.4pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Micro%205.5pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP6pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP6pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%20LTSS%20Extended%20Security%2012%20SP5pkg:rpm/suse/vim&distro=SUSE%20Linux%20Micro%206.0
< 9.1.1101-150500.20.21.1+ 9 more
- (no CPE)range: < 9.1.1101-150500.20.21.1
- (no CPE)range: < 9.1.1101-150000.5.69.1
- (no CPE)range: < 9.1.1101-150000.5.69.1
- (no CPE)range: < 9.1.1101-150000.5.69.1
- (no CPE)range: < 9.1.1101-150000.5.69.1
- (no CPE)range: < 9.1.1101-150500.20.21.1
- (no CPE)range: < 9.1.1101-150500.20.21.1
- (no CPE)range: < 9.1.1101-150500.20.21.1
- (no CPE)range: < 9.1.1101-17.41.1
- (no CPE)range: < 9.1.1101-1.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- github.com/vim/vim/commit/c9a1e257f1630a0866447e53a564f7ff96a80eadmitrex_refsource_MISC
- github.com/vim/vim/security/advisories/GHSA-5rgf-26wj-48v8mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.