segmentation fault in win_line() in Vim < 9.1.1043
Description
Segmentation fault in Vim before 9.1.1043 when processing binary characters in silent Ex mode, leading to out-of-bounds write.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Segmentation fault in Vim before 9.1.1043 when processing binary characters in silent Ex mode, leading to out-of-bounds write.
Vulnerability
The vulnerability resides in the win_line() function (drawline.c:3977) of Vim. When Vim is run in silent Ex mode (-s -e), it normally operates without a screen. However, feeding specially crafted binary characters can trigger gui_do_scroll(), which calls updateWindow(). This attempts to access the ScreenLines pointer, which has not been allocated because no screen exists, resulting in a segmentation fault. Affected versions are Vim before 9.1.1043. The issue is fixed in Vim 9.1.1043 [1][2].
Exploitation
An attacker needs to provide binary characters to Vim while it is running in silent Ex mode (-s -e). The user must explicitly execute Vim with these flags and feed the binary data, for example via a malicious script file using -S. No authentication or network access is required; the attack is local. The specific command to reproduce is vim -u NONE -i NONE -n -m -X -Z -e -s -S <poc_file> -c :qa!. Feeding the binary content triggers the scroll function, leading to a crash [1].
Impact
Successful exploitation causes a segmentation fault, resulting in denial of service. This is classified as an out-of-bounds write (CWE-787). The impact is considered medium because it requires user interaction (feeding binary data in ex mode). There is no indication of code execution or data leakage from the references [1].
Mitigation
The vulnerability is fixed in Vim version 9.1.1043. Users should update to this version or later. If updating is not immediately possible, avoid running Vim in silent Ex mode with untrusted input. The fix adds a check for ScreenLines being NULL before calling updateWindow() in gui_do_scroll() [1][2].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
12- osv-coords10 versionspkg:rpm/opensuse/vim&distro=openSUSE%20Leap%2015.6pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Micro%205.1pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Micro%205.2pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Micro%205.3pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Micro%205.4pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Micro%205.5pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP6pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP6pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%20LTSS%20Extended%20Security%2012%20SP5pkg:rpm/suse/vim&distro=SUSE%20Linux%20Micro%206.0
< 9.1.1101-150500.20.21.1+ 9 more
- (no CPE)range: < 9.1.1101-150500.20.21.1
- (no CPE)range: < 9.1.1101-150000.5.69.1
- (no CPE)range: < 9.1.1101-150000.5.69.1
- (no CPE)range: < 9.1.1101-150000.5.69.1
- (no CPE)range: < 9.1.1101-150000.5.69.1
- (no CPE)range: < 9.1.1101-150500.20.21.1
- (no CPE)range: < 9.1.1101-150500.20.21.1
- (no CPE)range: < 9.1.1101-150500.20.21.1
- (no CPE)range: < 9.1.1101-17.41.1
- (no CPE)range: < 9.1.1101-1.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- github.com/vim/vim/commit/9d1bed5eccdbb46a26b8a484f5e9163c40e63919mitrex_refsource_MISC
- github.com/vim/vim/security/advisories/GHSA-j3g9-wg22-v955mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.