191 results (0.017 seconds)

CVSS: 3.9EPSS: 0%CPEs: 1EXPL: 0

Vim is an open source, command line text editor. A use-after-free was found in Vim < 9.1.0764. When closing a buffer (visible in a window) a BufWinLeave auto command can cause an use-after-free if this auto command happens to re-open the same buffer in a new split window. Impact is low since the user must have intentionally set up such a strange auto command and run some buffer unload commands. However this may lead to a crash. • https://github.com/vim/vim/security/advisories/GHSA-rj48-v4mq-j4vg https://github.com/vim/vim/commit/51b62387be93c65fa56bbabe1c3 • CWE-416: Use After Free •

CVSS: 4.5EPSS: 0%CPEs: 1EXPL: 0

Vim is an improved version of the unix vi text editor. When flushing the typeahead buffer, Vim moves the current position in the typeahead buffer but does not check whether there is enough space left in the buffer to handle the next characters. So this may lead to the tb_off position within the typebuf variable to point outside of the valid buffer size, which can then later lead to a heap-buffer overflow in e.g. ins_typebuf(). Therefore, when flushing the typeahead buffer, check if there is enough space left before advancing the off position. If not, fall back to flush current typebuf contents. • https://github.com/vim/vim/commit/322ba9108612bead5eb https://github.com/vim/vim/security/advisories/GHSA-4ghr-c62x-cqfh • CWE-122: Heap-based Buffer Overflow •

CVSS: 4.5EPSS: 0%CPEs: 1EXPL: 0

Vim is an open source command line text editor. When performing a search and displaying the search-count message is disabled (:set shm+=S), the search pattern is displayed at the bottom of the screen in a buffer (msgbuf). When right-left mode (:set rl) is enabled, the search pattern is reversed. This happens by allocating a new buffer. If the search pattern contains some ASCII NUL characters, the buffer allocated will be smaller than the original allocated buffer (because for allocating the reversed buffer, the strlen() function is called, which only counts until it notices an ASCII NUL byte ) and thus the original length indicator is wrong. • https://github.com/vim/vim/commit/cacb6693c10bb19f28a50eca47bc https://github.com/vim/vim/security/advisories/GHSA-v2x2-cjcg-f9jm • CWE-122: Heap-based Buffer Overflow •

CVSS: 4.5EPSS: 0%CPEs: 1EXPL: 0

The UNIX editor Vim prior to version 9.1.0678 has a use-after-free error in argument list handling. When adding a new file to the argument list, this triggers `Buf*` autocommands. If in such an autocommand the buffer that was just opened is closed (including the window where it is shown), this causes the window structure to be freed which contains a reference to the argument list that we are actually modifying. Once the autocommands are completed, the references to the window and argument list are no longer valid and as such cause an use-after-free. Impact is low since the user must either intentionally add some unusual autocommands that wipe a buffer during creation (either manually or by sourcing a malicious plugin), but it will crash Vim. • https://github.com/vim/vim/security/advisories/GHSA-2w8m-443v-cgvw https://github.com/vim/vim/commit/0a6e57b09bc8c76691b367a5babfb79b31b770e8 • CWE-416: Use After Free •

CVSS: 4.2EPSS: 0%CPEs: 1EXPL: 0

Vim is an open source command line text editor. double-free in dialog_changed() in Vim < v9.1.0648. When abandoning a buffer, Vim may ask the user what to do with the modified buffer. If the user wants the changed buffer to be saved, Vim may create a new Untitled file, if the buffer did not have a name yet. However, when setting the buffer name to Unnamed, Vim will falsely free a pointer twice, leading to a double-free and possibly later to a heap-use-after-free, which can lead to a crash. The issue has been fixed as of Vim patch v9.1.0648. • https://github.com/vim/vim/commit/b29f4abcd4b3382fa746edd1d0562b7b48c https://github.com/vim/vim/security/advisories/GHSA-46pw-v7qw-xc2f • CWE-416: Use After Free •