CVE CyberSecurity Database News

CVE-2022-2175 - Buffer Over-read in vim/vim Before 8.2 — Explained Simply

Poster -

Vim is one of the world’s most popular text editors—used not just by developers, but by sysadmins, writers, and even casual users. Like any piece of software that's been around for decades, vulnerabilities creep in now and then. One such issue popped up in 2022 as CVE-2022-2175—a buffer over-read bug that could expose sensitive memory and possibly allow attackers to crash vim or run malicious code under certain (but rare) circumstances.

In this long read, we'll break down what the bug is, how it works, and what you should do about it. We'll look at the code, share links, and give you a hands-on perspective. If you want to get new vulnerabilities in Vim explained in plain, practical terms, you’re in the right place!

What is CVE-2022-2175?

CVE-2022-2175 is a vulnerability in the Vim text editor (specifically in the official vim/vim GitHub repository) that was discovered and fixed before version 8.2. The bug is a typical buffer over-read, a kind of memory security issue where the program reads past the end of a buffer in memory. This can lead to the process leaking memory contents or even causing a crash.

Buffer over-read means, simply, that code tries to read more data from a memory buffer than is actually available, potentially exposing private information or allowing unpredictable behavior.

Official References

- NVD Entry for CVE-2022-2175
- vim/vim security advisory GHSA-7w5v-4c6q-g83m
- Upstream patch for CVE-2022-2175

How Does The Buffer Over-read Happen in Vim?

The vulnerability was found in code handling REG_MULTI, REG_MINIMAL, and REG_LIMITED regular expressions. Basically, the regex pattern matching could look past the actual buffer end when working on specially crafted text files and patterns. This could occur with user-supplied file contents and Vim scripting—especially when working with external plugins or files from untrusted sources.

Here’s a simplified version of the buggy function in Vim’s regexp.c (pre-fix)

if ((endp - reginput) < needed_length)
{
    // BAD: calculates that room is available, but doesn't check for over-read in loop below
    while (*reginput != NUL && /* ... */) {
        // may read beyond buffer...
        reginput++;
    }
}

In this piece, the code assumes that there is enough buffer (endp - reginput) left, but further code (like the while or pattern matches) may cause it to read past the actual memory boundaries under certain crafted situations—especially with multi-byte input.

Here’s how the fix addresses the over-read

if ((endp - reginput) < needed_length)
{
    // New code ensures we don't read past end
    while (reginput < endp && *reginput != NUL && /* ... */) {
        reginput++;
    }
}

Now, the loop only continues if reginput is less than endp, making sure no buffer over-read happens.

Exploiting CVE-2022-2175

While it’s not a “1-click remote code execution” bug, an attacker could exploit CVE-2022-2175 by tricking a victim into editing a malicious file or script in Vim. If a vulnerable regex pattern is used (by the user, or by an inserted plugin or macro), Vim could read past allocated memory. Most likely, the result would be a crash, but on some systems and setups, more serious consequences (like information disclosure or arbitrary code execution) might be possible.

Steps to Reproduce (on vulnerable Vim)

1. Prepare the malicious file: Create a text file with carefully crafted contents to trigger the vulnerable regex handling.
2. Open in Vim with a specific search or plugin: Run a search that triggers the buggy regex, e.g., use /<pattern> on the malicious file, or invoke a script that uses custom regular expressions.

Here’s a simple example that could cause a crash

" Save this as crashme.vim
call search('\%(\b.\)*', 'c')

Run:

vim -u crashme.vim test.txt    # On a Vim older than 8.2

On some systems, this may cause Vim to crash (segfault).

How to Stay Safe

- Upgrade Vim: If you're running any Vim before 8.2, update now. The bug was fixed in 8.2 and later. You can check your Vim version by running vim --version in your terminal.
- Avoid third-party or untrusted Vim plugins/scripts that could process untrusted files with regex searches.
- Be careful editing untrusted files, especially if Vim prompts you about custom macros or scripts.

Conclusion

CVE-2022-2175 is a buffer over-read vulnerability in classic regex handling code in Vim, making it risky for people running old versions of the editor. While not a direct exploit for code execution, it highlights why keeping your tools up to date—and being cautious with files/scripts from unknown sources—is critical. For more detail, check out the original NVD advisory and the Vim GitHub commit fixing the issue.

Stay safe—and enjoy a secure text editing experience!

*Written exclusively for your security knowledge needs. No copy-paste, all original explanation!*

Timeline

Published on: 06/23/2022 13:15:00 UTC
Last modified on: 08/26/2022 19:16:00 UTC