CVE-2024-47814 — Use After Free in VIM

CWE-416 — Use After Free6 documents6 sources

Severity

4.7MEDIUMNVD

EPSS

0.1%

top 78.78%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

VIM Debian VIM Msrc Azl3 VIM 9.0.2190-6 ON Azure Linux 3.0 +7 more

Timeline

PublishedOct 7

Latest updateNov 27

Description

Vim is an open source, command line text editor. A use-after-free was found in Vim < 9.1.0764. When closing a buffer (visible in a window) a BufWinLeave auto command can cause an use-after-free if this auto command happens to re-open the same buffer in a new split window. Impact is low since the user must have intentionally set up such a strange auto command and run some buffer unload commands. However this may lead to a crash. This issue has been addressed in version 9.1.0764 and all users are …

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 1.0 | Impact: 3.6

Affected Packages12 packages

▶CVEListV5vim/vim< v9.1.0764

▶NVDvim/vim< 9.1.0764

▶debiandebian/vim< vim 2:9.0.1378-2+deb12u1 (bookworm)

▶Debianvim/vim< 2:8.2.2434-3+deb11u2+3

▶msrcmsrc/azure_linux_3.0_arm

Patches

Patch: github.com ↗

🔴Vulnerability Details

OSV

CVE-2024-47814: Vim is an open source, command line text editor↗2024-10-07

▶

📋Vendor Advisories

Ubuntu

Vim vulnerability↗2024-11-27

▶

Microsoft

use-after-free when closing buffers in Vim↗2024-10-08

▶

Red Hat

vim: use-after-free when closing buffers in Vim↗2024-10-07

▶

Debian

CVE-2024-47814: vim - Vim is an open source, command line text editor. A use-after-free was found in V...↗2024

▶