CVE-2025-55157 — Use After Free in VIM

CWE-416 — Use After Free4 documents4 sources

Severity

6.9MEDIUMNVD

EPSS

0.0%

top 84.87%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

VIM Debian VIM

Timeline

PublishedAug 11

Description

Vim is an open source, command line text editor. In versions from 9.1.1231 to before 9.1.1400, When processing nested tuples in Vim script, an error during evaluation can trigger a use-after-free in Vim’s internal tuple reference management. Specifically, the tuple_unref() function may access already freed memory due to improper lifetime handling, leading to memory corruption. The exploit requires direct user interaction, as the script must be explicitly executed within Vim. This issue has been …

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Affected Packages3 packages

▶NVDvim/vim9.1.1231 — 9.1.1400

▶CVEListV5vim/vim>= 9.1.1231, < 9.1.1400

▶debiandebian/vim

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

CVE-2025-55157: Vim is an open source, command line text editor↗2025-08-11

▶

📋Vendor Advisories

Red Hat

vim: Vim heap use-after-free vulnerability when processing recursive tuple data types↗2025-08-11

▶

Debian

CVE-2025-55157: vim - Vim is an open source, command line text editor. In versions from 9.1.1231 to be...↗2025

▶