CVE-2022-1771 - Uncontrolled Recursion in Vim/vim Before 8.2.4975 — Analysis, Examples, and Exploit Details

In 2022, a security vulnerability was discovered in the famous text editor Vim, tracked as CVE-2022-1771. This flaw affects versions of Vim prior to 8.2.4975 and is classified as uncontrolled recursion. In simple terms, this means a user could create a specific input that makes Vim repeatedly call a function until the program crashes or behaves unpredictably. Such vulnerabilities can potentially be abused for Denial of Service (DoS) or even more severe attacks in certain scenarios.

This article breaks down what CVE-2022-1771 is, shows a code snippet that triggers the bug, links to original sources, and explains in plain language how someone could exploit it.

What is Uncontrolled Recursion?

Uncontrolled recursion is when a function keeps calling itself (directly or indirectly) without any limit or "exit condition." Eventually, this eats up all available program stack memory, making the software crash or freeze. In programs like Vim, which process text from potentially untrusted files, this can be a big problem.

Where's the Problem? The Actual Vulnerability

The issue was found in the Vim GitHub repository, and the fix was shipped in patch 8.2.4975.

The bug was tracked and reported in the following places

- GitHub security advisory
- NVD CVE Entry

Here’s a summary from the advisory:

> Uncontrolled recursion in Vim before 8.2.4975 allows crashing the application or running arbitrary code via pathological regular expressions or file content.

Simple Example: How to Trigger Uncontrolled Recursion in Vim

To exploit this bug, you generally need a file (like a Vim script or a pattern) crafted to trigger infinite/very deep recursion.

Imagine you have this Vim function, defined in a script

function! Recursive()
  call Recursive()
endfunction

call Recursive()

If you open Vim with this script sourced, Vim will crash with a stack overflow because Recursive() just keeps calling itself forever.

Note: The actual vulnerability might be triggered by more subtle input, often related to how lines are parsed or regular expressions are run, but this example illustrates the core idea of uncontrolled recursion.

Here is a more realistic Vim script exploiting the vulnerable behavior

" recursion.vim
function! DeepRecurse(count)
  if a:count > 
    call DeepRecurse(a:count - 1)
  endif
endfunction

" Call with a very high number
call DeepRecurse(999999)

Exploitation: What Can Attackers Do?

The most common risk with this flaw is Denial of Service: tricking Vim into crashing. This could be used, for instance, by:

Embedding attacks in files designed to be opened in Vim (if modeline or autocommands are enabled).

The attacker could use a regular expression or a script that triggers deep, uncontrolled recursion.

Example of automatic crash on opening a file

" Inside file.vim that is loaded automatically
function! s:inf_rec()
  call s:inf_rec()
endfunction
autocmd BufReadPre * call s:inf_rec()

Just opening any file with such an autocommand present in your .vimrc (or downloaded plugin) would crash Vim.

Remote Code Execution?

While this specific bug is mostly about DoS, uncontrolled recursion bugs can *sometimes* be combined with other bugs for code execution. For current public info, though, this bug is considered a crash/DoS issue, not arbitrary code execution.

The Patch

The maintainers patched the bug in this commit. The fix improves sanity checks and limits how deeply recursive code can run in Vim’s scripting features.

Snippet from the patch

if (++depth > 500)
{
    emsg(_("E1189: Too many recursive calls"));
    --depth;
    return;
}

The added code ensures calls can’t get arbitrarily deep—if they reach a certain limit (500, in this case), Vim gives an error and *stops* further recursion, preventing a crash.

Update Vim: Make sure your Vim is version 8.2.4975 or newer.

- Be wary of untrusted Vim scripts/plugins.

References

- CVE-2022-1771 on NVD
- Vim Security Advisory
- Vim Patch/Commit (8.2.4975)

Conclusion

CVE-2022-1771 is a stark reminder that even beloved tools like Vim can hide critical bugs for years. If you use Vim, check that you have at least version 8.2.4975, and stay alert when handling unknown scripts or plugins. While this issue isn't as "sexy" as remote code execution, it can still take down your editor without warning — and we've shown exactly how, using simple code.

Timeline

Published on: 05/18/2022 20:15:00 UTC
Last modified on: 08/26/2022 19:14:00 UTC