Описание
Vim is an open source, command line text editor. Prior to version 9.1.2132, a heap buffer overflow vulnerability exists in Vim's tag file resolution logic when processing the 'helpfile' option. The vulnerability is located in the get_tagfname() function in src/tag.c. When processing help file tags, Vim copies the user-controlled 'helpfile' option value into a fixed-size heap buffer of MAXPATHL + 1 bytes (typically 4097 bytes) using an unsafe STRCPY() operation without any bounds checking. This issue has been patched in version 9.1.2132.
A flaw was found in Vim, an open source, command line text editor. This heap buffer overflow vulnerability exists in the tag file resolution logic when processing the 'helpfile' option. A local user could exploit this by providing a specially crafted 'helpfile' option value, leading to a heap buffer overflow. This could result in arbitrary code execution or a denial of service.
Отчет
This MODERATE impact vulnerability in Vim's tag file resolution logic allows a local attacker to achieve a out-of-bounds write. By providing a specially crafted helpfile option value a local user can trigger a heap buffer overflow, as consequence lead to memory corruption presenting a data integrity impact or leading the vim process to crash resulting in availability impact. Although being non-trivial and very complex, arbitrary code execution is not discarded as worst case scenario.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 6 | vim | Out of support scope | ||
| Red Hat Enterprise Linux 7 | vim | Affected | ||
| Red Hat Enterprise Linux 9 | vim | Affected | ||
| Red Hat OpenShift Container Platform 4 | rhcos | Affected | ||
| Red Hat Enterprise Linux 10 | vim | Fixed | RHSA-2026:4715 | 17.03.2026 |
| Red Hat Enterprise Linux 8 | vim | Fixed | RHSA-2026:4442 | 12.03.2026 |
| Red Hat Enterprise Linux 8 | vim | Fixed | RHSA-2026:4442 | 12.03.2026 |
Показывать по
Ссылки на источники
Дополнительная информация
Статус:
EPSS
7.3 High
CVSS3
Связанные уязвимости
Vim is an open source, command line text editor. Prior to version 9.1.2132, a heap buffer overflow vulnerability exists in Vim's tag file resolution logic when processing the 'helpfile' option. The vulnerability is located in the get_tagfname() function in src/tag.c. When processing help file tags, Vim copies the user-controlled 'helpfile' option value into a fixed-size heap buffer of MAXPATHL + 1 bytes (typically 4097 bytes) using an unsafe STRCPY() operation without any bounds checking. This issue has been patched in version 9.1.2132.
Vim is an open source, command line text editor. Prior to version 9.1.2132, a heap buffer overflow vulnerability exists in Vim's tag file resolution logic when processing the 'helpfile' option. The vulnerability is located in the get_tagfname() function in src/tag.c. When processing help file tags, Vim copies the user-controlled 'helpfile' option value into a fixed-size heap buffer of MAXPATHL + 1 bytes (typically 4097 bytes) using an unsafe STRCPY() operation without any bounds checking. This issue has been patched in version 9.1.2132.
Vim is an open source, command line text editor. Prior to version 9.1. ...
EPSS
7.3 High
CVSS3