CVE-2023-48706

Vim has heap-use-after-free at /src/charset.c:1770:12 in skipwhite

Severity Score

4.7

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Vim is a UNIX editor that, prior to version 9.0.2121, has a heap-use-after-free vulnerability. When executing a `:s` command for the very first time and using a sub-replace-special atom inside the substitution part, it is possible that the recursive `:s` call causes free-ing of memory which may later then be accessed by the initial `:s` command. The user must intentionally execute the payload and the whole process is a bit tricky to do since it seems to work only reliably for the very first :s command. It may also cause a crash of Vim. Version 9.0.2121 contains a fix for this issue.

Vim es un editor UNIX que, antes de la versión 9.0.2121, tiene una vulnerabilidad de heap-use-after-free. Al ejecutar un comando `:s` por primera vez y utilizar un átomo subreemplazante especial dentro de la parte de sustitución, es posible que la llamada recursiva `:s` provoque la liberación de memoria a la que luego se podrá acceder por el comando inicial `:s`. El usuario debe ejecutar intencionalmente el payload y todo el proceso es un poco complicado de realizar ya que parece funcionar solo de manera confiable para el primer comando :s. También puede provocar un bloqueo de Vim. La versión 9.0.2121 contiene una solución para este problema.

It was discovered that Vim could be made to dereference invalid memory. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS. It was discovered that Vim could be made to recurse infinitely. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS.

*Credits: N/A

CVSS Scores

Attack Vector

Local

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Local

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

Low

Attack Vector

Local

Attack Complexity

High

Authentication

None

Confidentiality

None

Integrity

None

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2023-11-17 CVE Reserved
2023-11-22 CVE Published
2025-02-13 CVE Updated
2025-02-13 First Exploit
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-416: Use After Free

CAPEC

References (8)

URL	Tag	Source
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DNMFS3IH74KEMMESOA3EOB6MZ56TWGFF
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IVA7K73WHQH4KVFDJQ7ELIUD2WK5ZT5E
https://security.netapp.com/advisory/ntap-20240105-0001

URL	Date	SRC
https://github.com/gandalf4a/crash_report/blob/main/vim/vim_huaf	2025-02-13
https://github.com/vim/vim/security/advisories/GHSA-c8qm-x72m-q53q	2025-02-13

URL	Date	SRC
http://www.openwall.com/lists/oss-security/2023/11/22/3	2024-01-05
https://github.com/vim/vim/commit/26c11c56888d01e298cd8044caf860f3c26f57bb	2024-01-05
https://github.com/vim/vim/pull/13552	2024-01-05

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Vim Search vendor "Vim"		Vim Search vendor "Vim" for product "Vim"				< 9.0.2121 Search vendor "Vim" for product "Vim" and version " < 9.0.2121"		-		Affected