CVSS: 4.2EPSS: 0%CPEs: 1EXPL: 0CVE-2025-24014 – segmentation fault in win_line() in Vim < 9.1.1043
https://notcve.org/view.php?id=CVE-2025-24014
20 Jan 2025 — Vim is an open source, command line text editor. A segmentation fault was found in Vim before 9.1.1043. In silent Ex mode (-s -e), Vim typically doesn't show a screen and just operates silently in batch mode. However, it is still possible to trigger the function that handles the scrolling of a gui version of Vim by feeding some binary characters to Vim. The function that handles the scrolling however may be triggering a redraw, which will access the ScreenLines pointer, even so this variable hasn't been all... • https://github.com/vim/vim/commit/9d1bed5eccdbb46a26b8a484f5e9163c40e63919 • CWE-787: Out-of-bounds Write •
CVSS: 4.2EPSS: 0%CPEs: 1EXPL: 0CVE-2025-22134 – heap-buffer-overflow with visual mode in Vim < 9.1.1003
https://notcve.org/view.php?id=CVE-2025-22134
13 Jan 2025 — When switching to other buffers using the :all command and visual mode still being active, this may cause a heap-buffer overflow, because Vim does not properly end visual mode and therefore may try to access beyond the end of a line in a buffer. In Patch 9.1.1003 Vim will correctly reset the visual mode before opening other windows and buffers and therefore fix this bug. In addition it does verify that it won't try to access a position if the position is greater than the corresponding buffer line. Impact is... • https://github.com/vim/vim/commit/c9a1e257f1630a0866447e53a564f7ff96a80ead • CWE-122: Heap-based Buffer Overflow •
CVSS: 3.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-47814 – use-after-free when closing buffers in Vim
https://notcve.org/view.php?id=CVE-2024-47814
07 Oct 2024 — Vim is an open source, command line text editor. A use-after-free was found in Vim < 9.1.0764. When closing a buffer (visible in a window) a BufWinLeave auto command can cause an use-after-free if this auto command happens to re-open the same buffer in a new split window. Impact is low since the user must have intentionally set up such a strange auto command and run some buffer unload commands. However this may lead to a crash. • https://github.com/vim/vim/security/advisories/GHSA-rj48-v4mq-j4vg • CWE-416: Use After Free •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-45306 – heap-buffer-overflow in Vim
https://notcve.org/view.php?id=CVE-2024-45306
02 Sep 2024 — Vim is an open source, command line text editor. Patch v9.1.0038 optimized how the cursor position is calculated and removed a loop, that verified that the cursor position always points inside a line and does not become invalid by pointing beyond the end of a line. Back then we assumed this loop is unnecessary. However, this change made it possible that the cursor position stays invalid and points beyond the end of a line, which would eventually cause a heap-buffer-overflow when trying to access the line po... • https://github.com/vim/vim/security/advisories/GHSA-wxf9-c5gx-qrwr • CWE-122: Heap-based Buffer Overflow •
CVSS: 4.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-43802 – heap-buffer-overflow in ins_typebuf() in Vim < 9.1.0697
https://notcve.org/view.php?id=CVE-2024-43802
26 Aug 2024 — Vim is an improved version of the unix vi text editor. When flushing the typeahead buffer, Vim moves the current position in the typeahead buffer but does not check whether there is enough space left in the buffer to handle the next characters. So this may lead to the tb_off position within the typebuf variable to point outside of the valid buffer size, which can then later lead to a heap-buffer overflow in e.g. ins_typebuf(). Therefore, when flushing the typeahead buffer, check if there is enough space lef... • https://github.com/vim/vim/commit/322ba9108612bead5eb • CWE-122: Heap-based Buffer Overflow •
CVSS: 4.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-43790 – heap-buffer-overflow in do_search() in Vim < 9.1.0689
https://notcve.org/view.php?id=CVE-2024-43790
22 Aug 2024 — Vim is an open source command line text editor. When performing a search and displaying the search-count message is disabled (:set shm+=S), the search pattern is displayed at the bottom of the screen in a buffer (msgbuf). When right-left mode (:set rl) is enabled, the search pattern is reversed. This happens by allocating a new buffer. If the search pattern contains some ASCII NUL characters, the buffer allocated will be smaller than the original allocated buffer (because for allocating the reversed buffer,... • https://github.com/vim/vim/commit/cacb6693c10bb19f28a50eca47bc • CWE-122: Heap-based Buffer Overflow •
CVSS: 4.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-43374 – Vim heap-use-after-free in src/arglist.c:207
https://notcve.org/view.php?id=CVE-2024-43374
15 Aug 2024 — The UNIX editor Vim prior to version 9.1.0678 has a use-after-free error in argument list handling. When adding a new file to the argument list, this triggers `Buf*` autocommands. If in such an autocommand the buffer that was just opened is closed (including the window where it is shown), this causes the window structure to be freed which contains a reference to the argument list that we are actually modifying. Once the autocommands are completed, the references to the window and argument list are no longer... • https://github.com/vim/vim/security/advisories/GHSA-2w8m-443v-cgvw • CWE-416: Use After Free •
CVSS: 4.2EPSS: 0%CPEs: 1EXPL: 0CVE-2024-41965 – Vim < v9.1.0648 has a double-free in dialog_changed()
https://notcve.org/view.php?id=CVE-2024-41965
01 Aug 2024 — Vim is an open source command line text editor. double-free in dialog_changed() in Vim < v9.1.0648. When abandoning a buffer, Vim may ask the user what to do with the modified buffer. If the user wants the changed buffer to be saved, Vim may create a new Untitled file, if the buffer did not have a name yet. However, when setting the buffer name to Unnamed, Vim will falsely free a pointer twice, leading to a double-free and possibly later to a heap-use-after-free, which can lead to a crash. The issue has bee... • https://github.com/vim/vim/commit/b29f4abcd4b3382fa746edd1d0562b7b48c • CWE-416: Use After Free •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-41957 – Vim double free in src/alloc.c:616
https://notcve.org/view.php?id=CVE-2024-41957
01 Aug 2024 — Vim is an open source command line text editor. Vim < v9.1.0647 has double free in src/alloc.c:616. When closing a window, the corresponding tagstack data will be cleared and freed. However a bit later, the quickfix list belonging to that window will also be cleared and if that quickfix list points to the same tagstack data, Vim will try to free it again, resulting in a double-free/use-after-free access exception. Impact is low since the user must intentionally execute vim with several non-default flags, bu... • https://github.com/vim/vim/commit/8a0bbe7b8aad6f8da28dee218c01bc8a0185a • CWE-415: Double Free •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2024-22667 – Ubuntu Security Notice USN-6698-1
https://notcve.org/view.php?id=CVE-2024-22667
05 Feb 2024 — Vim before 9.0.2142 has a stack-based buffer overflow because did_set_langmap in map.c calls sprintf to write to the error buffer that is passed down to the option callback functions. Vim anterior a 9.0.2142 tiene un desbordamiento de búfer en la región stack de la memoria porque did_set_langmap en map.c llama a sprintf para escribir en el búfer de error que se pasa a las funciones de devolución de llamada de opción. Zhen Zhou discovered that Vim did not properly manage memory. An attacker could possibly us... • https://gist.githubusercontent.com/henices/2467e7f22dcc2aa97a2453e197b55a0c/raw/7b54bccc9a129c604fb139266f4497ab7aaa94c7/gistfile1.txt • CWE-787: Out-of-bounds Write •