CVE-2024-43374

The UNIX editor Vim prior to version 9.1.0678 has a use-after-free error in argument list handling. When adding a new file to the argument list, this triggers `Buf*` autocommands. If in such an autocommand the buffer that was just opened is closed (including the window where it is shown), this causes the window structure to be freed which contains a reference to the argument list that we are actually modifying. Once the autocommands are completed, the references to the window and argument list are no longer valid and as such cause an use-after-free. Impact is low since the user must either intentionally add some unusual autocommands that wipe a buffer during creation (either manually or by sourcing a malicious plugin), but it will crash Vim. The issue has been fixed as of Vim patch v9.1.0678.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
4.5 MEDIUM
LOCAL
HIGH
NONE
CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L
GitHub_MCNA
4.5 MEDIUM
LOCAL
HIGH
NONE
CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L
CVEADP
---
---
CISA-ADPADP
---
---
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 4%
Debian logo
Debian Releases
Debian Product
Codename
vim
bullseye
unimportant
bullseye (security)
unimportant
bookworm
unimportant
trixie
2:9.1.1230-2
fixed
sid
2:9.1.1230-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
vim
noble
Fixed 2:9.1.0016-1ubuntu7.2
released
jammy
Fixed 2:8.2.3995-1ubuntu2.18
released
focal
Fixed 2:8.1.2269-1ubuntu5.24
released
bionic
Fixed 2:8.0.1453-1ubuntu1.13+esm9
released
xenial
Fixed 2:7.4.1689-3ubuntu1.5+esm24
released
trusty
Fixed 2:7.4.052-1ubuntu3.1+esm18
released
Common Weakness Enumeration
References
https://github.com/vim/vim/commit/0a6e57b09bc8c76691b367a5babfb79b31b770e8
https://github.com/vim/vim/security/advisories/GHSA-2w8m-443v-cgvw
http://www.openwall.com/lists/oss-security/2024/08/15/6
https://security.netapp.com/advisory/ntap-20240920-0004/