CVE-2025-26603Use After Free in VIM

CWE-416Use After Free7 documents6 sources
Severity
4.2MEDIUMNVD
OSV2.4
EPSS
0.0%
top 91.03%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
VIMDebian VIMMsrc Azl3 VIM 9.1.0791-4 ON Azure Linux 3.0+1 more
Timeline
PublishedFeb 18
Latest updateApr 7

Description

Vim is a greatly improved version of the good old UNIX editor Vi. Vim allows to redirect screen messages using the `:redir` ex command to register, variables and files. It also allows to show the contents of registers using the `:registers` or `:display` ex command. When redirecting the output of `:display` to a register, Vim will free the register content before storing the new content in the register. Now when redirecting the `:display` command to a register that is being displayed, Vim will f

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:LExploitability: 0.8 | Impact: 3.4

Affected Packages6 packages

NVDvim/vim< 9.1.1115
debiandebian/vim< vim 2:9.1.1230-1 (forky)
Debianvim/vim< 2:9.1.1230-1+1
Ubuntuvim/vim< 2:8.1.2269-1ubuntu5.32+5

Patches

Patch: github.com

🔴Vulnerability Details

2
OSV
vim vulnerabilities2025-04-07
OSV
CVE-2025-26603: Vim is a greatly improved version of the good old UNIX editor Vi2025-02-18

📋Vendor Advisories

4
Ubuntu
Vim vulnerabilities2025-04-07
Red Hat
vim: heap-use-after-free in function str_to_reg in vim/vim2025-02-18
Microsoft
heap-use-after-free in function str_to_reg in vim/vim2025-02-11
Debian
CVE-2025-26603: vim - Vim is a greatly improved version of the good old UNIX editor Vi. Vim allows to ...2025
CVE-2025-26603 — Use After Free in VIM | cvebase