CVE-2025-55158

EUVD-2025-24192

11.08.2025, 23:15

Vim is an open source, command line text editor. In versions from 9.1.1231 to before 9.1.1406, when processing nested tuples during Vim9 script import operations, an error during evaluation can trigger a double-free in Vim’s internal typed value (typval_T) management. Specifically, the clear_tv() function may attempt to free memory that has already been deallocated, due to improper lifetime handling in the handle_import / ex_import code paths. The vulnerability can only be triggered if a user explicitly opens and executes a specially crafted Vim script. This issue has been patched in version 9.1.1406.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	8.8 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 22%

Affected Products (NVD)

Vendor	Product	Version
vim	vim	9.1.1231 ≤ 𝑥 < 9.1.1406

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

vim

bookworm	2:9.0.1378-2+deb12u2 fixed
bullseye	2:8.2.2434-3+deb11u1 fixed
bullseye (security)	2:8.2.2434-3+deb11u3 fixed
forky	2:9.2.0461-1 fixed
sid	2:9.2.0461-1 fixed
trixie	2:9.1.1230-2 fixed

Ubuntu Releases

Ubuntu Product

Codename

vim

bionic	not-affected
focal	not-affected
jammy	not-affected
noble	not-affected
plucky	not-affected
trusty	not-affected
xenial	not-affected

openSUSE / SLES Releases

openSUSE Product

Release

gvim

suse enterprise server 15 SP4

9.1.1629-150000.5.78.1

fixed

vim

suse enterprise desktop 15 SP6	9.1.1629-150500.20.33.1 fixed
suse enterprise desktop 15 SP7	9.1.1629-150500.20.33.1 fixed
suse enterprise sap 15 SP6	9.1.1629-150500.20.33.1 fixed
suse enterprise sap 15 SP7	9.1.1629-150500.20.33.1 fixed
suse enterprise server 15 SP4	9.1.1629-150000.5.78.1 fixed
suse enterprise server 15 SP6	9.1.1629-150500.20.33.1 fixed
suse enterprise server 15 SP7	9.1.1629-150500.20.33.1 fixed

vim-data

suse enterprise desktop 15 SP6	9.1.1629-150500.20.33.1 fixed
suse enterprise desktop 15 SP7	9.1.1629-150500.20.33.1 fixed
suse enterprise sap 15 SP6	9.1.1629-150500.20.33.1 fixed
suse enterprise sap 15 SP7	9.1.1629-150500.20.33.1 fixed
suse enterprise server 15 SP4	9.1.1629-150000.5.78.1 fixed
suse enterprise server 15 SP6	9.1.1629-150500.20.33.1 fixed
suse enterprise server 15 SP7	9.1.1629-150500.20.33.1 fixed

vim-data-common

suse enterprise desktop 15 SP6	9.1.1629-150500.20.33.1 fixed
suse enterprise desktop 15 SP7	9.1.1629-150500.20.33.1 fixed
suse enterprise sap 15 SP6	9.1.1629-150500.20.33.1 fixed
suse enterprise sap 15 SP7	9.1.1629-150500.20.33.1 fixed
suse enterprise server 15 SP4	9.1.1629-150000.5.78.1 fixed
suse enterprise server 15 SP6	9.1.1629-150500.20.33.1 fixed
suse enterprise server 15 SP7	9.1.1629-150500.20.33.1 fixed

vim-small

suse enterprise desktop 15 SP6	9.1.1629-150500.20.33.1 fixed
suse enterprise desktop 15 SP7	9.1.1629-150500.20.33.1 fixed
suse enterprise sap 15 SP6	9.1.1629-150500.20.33.1 fixed
suse enterprise sap 15 SP7	9.1.1629-150500.20.33.1 fixed
suse enterprise server 15 SP4	9.1.1629-150000.5.78.1 fixed
suse enterprise server 15 SP6	9.1.1629-150500.20.33.1 fixed
suse enterprise server 15 SP7	9.1.1629-150500.20.33.1 fixed

Common Weakness Enumeration

CWE-415 - Double Free
The product calls free() twice on the same memory address, potentially leading to modification of unexpected memory locations.

References

https://github.com/vim/vim/commit/9772025d24e939fd84b85748ce35c26874c05775

https://github.com/vim/vim/releases/tag/v9.1.1406

https://github.com/vim/vim/security/advisories/GHSA-5fg8-wvx3-583x