CVSS: 4.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-43802 – heap-buffer-overflow in ins_typebuf() in Vim < 9.1.0697
https://notcve.org/view.php?id=CVE-2024-43802
Vim is an improved version of the unix vi text editor. When flushing the typeahead buffer, Vim moves the current position in the typeahead buffer but does not check whether there is enough space left in the buffer to handle the next characters. So this may lead to the tb_off position within the typebuf variable to point outside of the valid buffer size, which can then later lead to a heap-buffer overflow in e.g. ins_typebuf(). Therefore, when flushing the typeahead buffer, check if there is enough space left before advancing the off position. If not, fall back to flush current typebuf contents. • https://github.com/vim/vim/commit/322ba9108612bead5eb https://github.com/vim/vim/security/advisories/GHSA-4ghr-c62x-cqfh • CWE-122: Heap-based Buffer Overflow •
CVSS: 4.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-43790 – heap-buffer-overflow in do_search() in Vim < 9.1.0689
https://notcve.org/view.php?id=CVE-2024-43790
Vim is an open source command line text editor. When performing a search and displaying the search-count message is disabled (:set shm+=S), the search pattern is displayed at the bottom of the screen in a buffer (msgbuf). When right-left mode (:set rl) is enabled, the search pattern is reversed. This happens by allocating a new buffer. If the search pattern contains some ASCII NUL characters, the buffer allocated will be smaller than the original allocated buffer (because for allocating the reversed buffer, the strlen() function is called, which only counts until it notices an ASCII NUL byte ) and thus the original length indicator is wrong. • https://github.com/vim/vim/commit/cacb6693c10bb19f28a50eca47bc https://github.com/vim/vim/security/advisories/GHSA-v2x2-cjcg-f9jm • CWE-122: Heap-based Buffer Overflow •
CVSS: 4.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-43374 – Vim heap-use-after-free in src/arglist.c:207
https://notcve.org/view.php?id=CVE-2024-43374
The UNIX editor Vim prior to version 9.1.0678 has a use-after-free error in argument list handling. When adding a new file to the argument list, this triggers `Buf*` autocommands. If in such an autocommand the buffer that was just opened is closed (including the window where it is shown), this causes the window structure to be freed which contains a reference to the argument list that we are actually modifying. Once the autocommands are completed, the references to the window and argument list are no longer valid and as such cause an use-after-free. Impact is low since the user must either intentionally add some unusual autocommands that wipe a buffer during creation (either manually or by sourcing a malicious plugin), but it will crash Vim. • https://github.com/vim/vim/security/advisories/GHSA-2w8m-443v-cgvw https://github.com/vim/vim/commit/0a6e57b09bc8c76691b367a5babfb79b31b770e8 • CWE-416: Use After Free •
CVSS: 4.2EPSS: 0%CPEs: 1EXPL: 0CVE-2024-41965 – Vim < v9.1.0648 has a double-free in dialog_changed()
https://notcve.org/view.php?id=CVE-2024-41965
Vim is an open source command line text editor. double-free in dialog_changed() in Vim < v9.1.0648. When abandoning a buffer, Vim may ask the user what to do with the modified buffer. If the user wants the changed buffer to be saved, Vim may create a new Untitled file, if the buffer did not have a name yet. However, when setting the buffer name to Unnamed, Vim will falsely free a pointer twice, leading to a double-free and possibly later to a heap-use-after-free, which can lead to a crash. The issue has been fixed as of Vim patch v9.1.0648. • https://github.com/vim/vim/commit/b29f4abcd4b3382fa746edd1d0562b7b48c https://github.com/vim/vim/security/advisories/GHSA-46pw-v7qw-xc2f • CWE-416: Use After Free •
CVSS: 4.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-41957 – Vim double free in src/alloc.c:616
https://notcve.org/view.php?id=CVE-2024-41957
Vim is an open source command line text editor. Vim < v9.1.0647 has double free in src/alloc.c:616. When closing a window, the corresponding tagstack data will be cleared and freed. However a bit later, the quickfix list belonging to that window will also be cleared and if that quickfix list points to the same tagstack data, Vim will try to free it again, resulting in a double-free/use-after-free access exception. Impact is low since the user must intentionally execute vim with several non-default flags, but it may cause a crash of Vim. • https://github.com/vim/vim/commit/8a0bbe7b8aad6f8da28dee218c01bc8a0185a https://github.com/vim/vim/security/advisories/GHSA-f9cr-gv85-hcr4 • CWE-415: Double Free •