CVE-2024-43374 - Use-After-Free Vulnerability in Vim's Argument List Handling
Vim is one of the most popular UNIX editors in existence, trusted by millions of developers and sysadmins. However, like all software, bugs can slip through the cracks. In June 2024, a vulnerability known as CVE-2024-43374 came to light, impacting Vim versions prior to 9.1.0678. This post will break down what went wrong, how it can be triggered, and what you need to do about it.
What Is CVE-2024-43374?
At its core, this vulnerability is a use-after-free bug. That means the application keeps a reference (a pointer, in C terms) to some memory that has already been freed. If the program tries to use that reference again, it can crash, or in rare cases, the bug can be exploited for code execution.
In the case of CVE-2024-43374, the problem sits in the way Vim handles argument lists — the list of files you open using commands like :args, :next, or :argadd.
You use Vim’s command to add a file to the argument list.
2. This action triggers one or more Buf* autocommands (such as BufRead, BufNewFile, or BufEnter).
3. Inside one of these autocommands, a plugin or user autocmd closes the buffer that was just opened (for example, by executing :bwipeout).
The window structure holds a reference to the argument list the command is still modifying.
6. Once the autocommands finish, Vim tries to access data in the freed structures — but these are now dangling pointers.
Result: Vim crashes.
In practice, this situation is rare, and it doesn't occur unless specifically triggered — either by a very unusual autocommand written by the user, or by a malicious plugin.
Example: How to Trigger CVE-2024-43374
Here’s a simple way to demonstrate the bug yourself (only on a vulnerable Vim, pre-9.1.0678!). This will crash Vim, so only try in a safe environment.
Let's add an autocommand that wipes out a buffer as soon as it's read
" Save this as ~/.vimrc or source it before testing
augroup CrashVim
autocmd!
autocmd BufRead * bwipeout
augroup END
With that in place, open Vim and add a new file to the argument list
vim file1
Then, from inside Vim
:argadd file2
If you run Vim under gdb, you will see an error similar to
Program received signal SIGSEGV, Segmentation fault.
x000000000044c2fa in do_argadd ()
...
Is It Dangerous?
Overall, the security risk is low.
- Crashing only: As currently understood, the bug is not directly exploitable for arbitrary code execution — it just causes Vim to crash.
- Triggers are atypical: It doesn’t happen during normal use. You either need an odd user script/autocommand, or a purposely malicious plugin.
However, denial of service is always a problem, and bugs like these often become stepping stones for deeper attacks.
Here’s a self-contained script you can use (on a vulnerable Vim) to see the crash
" This will crash Vim when you add a new file to args
autocmd BufRead * bwipeout
:argadd foo.txt
Solution: How to Fix
Upgrade Vim!
A fix was merged in Vim patch 9.1.0678.
Run this in Vim command mode
:version
Look for a line like VIM - Vi IMproved 9.1 (2024 Jun 01, compiled ...).
Links and References
- CVE-2024-43374 official MITRE entry
- Vim issue #12930 (github.com/vim/vim)
- Fixed by Vim patch v9.1.0678
- Full list of Vim's recent security advisories
People who manage shared Vim installs (multi-user systems, lab environments).
If you only use Vim in simple ways and don’t source random plugins, your risk is almost zero — but upgrading is always smart.
Timeline
Published on: 08/16/2024 02:15:17 UTC
Last modified on: 08/19/2024 13:00:23 UTC