CVE-2023-48706

CVE-2023-48706

Name

CVE-2023-48706

Description

Vim is a UNIX editor that, prior to version 9.0.2121, has a heap-use-after-free vulnerability. When executing a `:s` command for the very first time and using a sub-replace-special atom inside the substitution part, it is possible that the recursive `:s` call causes free-ing of memory which may later then be accessed by the initial `:s` command. The user must intentionally execute the payload and the whole process is a bit tricky to do since it seems to work only reliably for the very first :s command. It may also cause a crash of Vim. Version 9.0.2121 contains a fix for this issue.

NVD Severity

unknown

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
	https://github.com/vim/vim/security/advisories/GHSA-c8qm-x72m-q53q
	https://github.com/vim/vim/pull/13552
	https://github.com/vim/vim/commit/26c11c56888d01e298cd8044caf860f3c26f57bb
	https://github.com/gandalf4a/crash_report/blob/main/vim/vim_huaf
	http://www.openwall.com/lists/oss-security/2023/11/22/3
security-advisories@github.com	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DNMFS3IH74KEMMESOA3EOB6MZ56TWGFF/
security-advisories@github.com	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IVA7K73WHQH4KVFDJQ7ELIUD2WK5ZT5E/
security-advisories@github.com	https://security.netapp.com/advisory/ntap-20240105-0001/

Type

URI

https://github.com/vim/vim/security/advisories/GHSA-c8qm-x72m-q53q

https://github.com/vim/vim/pull/13552

https://github.com/vim/vim/commit/26c11c56888d01e298cd8044caf860f3c26f57bb

https://github.com/gandalf4a/crash_report/blob/main/vim/vim_huaf

http://www.openwall.com/lists/oss-security/2023/11/22/3

security-advisories@github.com

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DNMFS3IH74KEMMESOA3EOB6MZ56TWGFF/

security-advisories@github.com

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IVA7K73WHQH4KVFDJQ7ELIUD2WK5ZT5E/

security-advisories@github.com

https://security.netapp.com/advisory/ntap-20240105-0001/

CPE URI	Source package	Min version	Max version
`cpe:2.3:a:vim:vim::::::::`	vim	>= None	< 9.0.2121

CPE URI

Source package

Min version

Max version

cpe:2.3:a:vim:vim:*:*:*:*:*:*:*:*

vim

>= None

< 9.0.2121

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
vim	edge-main	9.0.2127-r0	Natanael Copa <ncopa@alpinelinux.org>	fixed
vim	edge-main	9.0.2112-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
vim	edge-main	9.0.2073-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
vim	edge-main	9.0.1994-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
vim	edge-main	9.0.1888-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
vim	edge-main	9.0.1413-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
vim	edge-main	9.0.1395-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
vim	edge-main	9.0.1251-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
vim	edge-main	9.0.1198-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
vim	edge-main	9.0.1167-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
vim	edge-main	9.0.0999-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
vim	edge-main	9.0.0815-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
vim	edge-main	9.0.0636-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
vim	edge-main	9.0.0598-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
vim	edge-main	9.0.0437-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
vim	edge-main	9.0.0369-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
vim	edge-main	9.0.0270-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
vim	edge-main	9.0.0224-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
vim	edge-main	9.0.0050-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
vim	edge-main	8.2.5170-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
vim	edge-main	8.2.5055-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
vim	edge-main	8.2.5000-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
vim	edge-main	8.2.4969-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
vim	edge-main	8.2.4836-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
vim	edge-main	8.2.4708-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
vim	edge-main	8.2.4619-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
vim	edge-main	8.2.4542-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
vim	edge-main	8.2.4350-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
vim	edge-main	8.2.4173-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
vim	edge-main	8.2.3779-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
vim	edge-main	8.2.3650-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
vim	edge-main	8.2.3567-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
vim	edge-main	8.2.3500-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
vim	edge-main	8.2.3437-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
vim	edge-main	8.1.1365-r0	None	possibly vulnerable
vim	edge-main	8.0.1521-r0	None	possibly vulnerable
vim	edge-main	8.0.0329-r0	None	possibly vulnerable
vim	edge-main	8.0.0056-r0	None	possibly vulnerable
vim	3.22-main	9.0.2127-r0	None	fixed
vim	3.22-main	9.0.2112-r0	None	possibly vulnerable
vim	3.22-main	9.0.2073-r0	None	possibly vulnerable
vim	3.22-main	9.0.1994-r0	None	possibly vulnerable
vim	3.22-main	9.0.1888-r0	None	possibly vulnerable
vim	3.22-main	9.0.1413-r0	None	possibly vulnerable
vim	3.22-main	9.0.1395-r0	None	possibly vulnerable
vim	3.22-main	9.0.1251-r0	None	possibly vulnerable
vim	3.22-main	9.0.1198-r0	None	possibly vulnerable
vim	3.22-main	9.0.1167-r0	None	possibly vulnerable
vim	3.22-main	9.0.0999-r0	None	possibly vulnerable
vim	3.22-main	9.0.0815-r0	None	possibly vulnerable
vim	3.22-main	9.0.0636-r0	None	possibly vulnerable
vim	3.22-main	9.0.0598-r0	None	possibly vulnerable
vim	3.22-main	9.0.0437-r0	None	possibly vulnerable
vim	3.22-main	9.0.0369-r0	None	possibly vulnerable
vim	3.22-main	9.0.0270-r0	None	possibly vulnerable
vim	3.22-main	9.0.0224-r0	None	possibly vulnerable
vim	3.22-main	9.0.0050-r0	None	possibly vulnerable
vim	3.22-main	8.2.5170-r0	None	possibly vulnerable
vim	3.22-main	8.2.5055-r0	None	possibly vulnerable
vim	3.22-main	8.2.5000-r0	None	possibly vulnerable
vim	3.22-main	8.2.4969-r0	None	possibly vulnerable
vim	3.22-main	8.2.4836-r0	None	possibly vulnerable
vim	3.22-main	8.2.4708-r0	None	possibly vulnerable
vim	3.22-main	8.2.4619-r0	None	possibly vulnerable
vim	3.22-main	8.2.4542-r0	None	possibly vulnerable
vim	3.22-main	8.2.4350-r0	None	possibly vulnerable
vim	3.22-main	8.2.4173-r0	None	possibly vulnerable
vim	3.22-main	8.2.3779-r0	None	possibly vulnerable
vim	3.22-main	8.2.3650-r0	None	possibly vulnerable
vim	3.22-main	8.2.3567-r0	None	possibly vulnerable
vim	3.22-main	8.2.3500-r0	None	possibly vulnerable
vim	3.22-main	8.2.3437-r0	None	possibly vulnerable
vim	3.22-main	8.1.1365-r0	None	possibly vulnerable
vim	3.22-main	8.0.1521-r0	None	possibly vulnerable
vim	3.22-main	8.0.0329-r0	None	possibly vulnerable
vim	3.22-main	8.0.0056-r0	None	possibly vulnerable
vim	3.21-main	9.0.2127-r0	None	fixed
vim	3.21-main	9.0.2112-r0	None	possibly vulnerable
vim	3.21-main	9.0.2073-r0	None	possibly vulnerable
vim	3.21-main	9.0.1994-r0	None	possibly vulnerable
vim	3.21-main	9.0.1888-r0	None	possibly vulnerable
vim	3.21-main	9.0.1413-r0	None	possibly vulnerable
vim	3.21-main	9.0.1395-r0	None	possibly vulnerable
vim	3.21-main	9.0.1251-r0	None	possibly vulnerable
vim	3.21-main	9.0.1198-r0	None	possibly vulnerable
vim	3.21-main	9.0.1167-r0	None	possibly vulnerable
vim	3.21-main	9.0.0999-r0	None	possibly vulnerable
vim	3.21-main	9.0.0815-r0	None	possibly vulnerable
vim	3.21-main	9.0.0636-r0	None	possibly vulnerable
vim	3.21-main	9.0.0598-r0	None	possibly vulnerable
vim	3.21-main	9.0.0437-r0	None	possibly vulnerable
vim	3.21-main	9.0.0369-r0	None	possibly vulnerable
vim	3.21-main	9.0.0270-r0	None	possibly vulnerable
vim	3.21-main	9.0.0224-r0	None	possibly vulnerable
vim	3.21-main	9.0.0050-r0	None	possibly vulnerable
vim	3.21-main	8.2.5170-r0	None	possibly vulnerable
vim	3.21-main	8.2.5055-r0	None	possibly vulnerable
vim	3.21-main	8.2.5000-r0	None	possibly vulnerable
vim	3.21-main	8.2.4969-r0	None	possibly vulnerable
vim	3.21-main	8.2.4836-r0	None	possibly vulnerable
vim	3.21-main	8.2.4708-r0	None	possibly vulnerable
vim	3.21-main	8.2.4619-r0	None	possibly vulnerable
vim	3.21-main	8.2.4542-r0	None	possibly vulnerable
vim	3.21-main	8.2.4350-r0	None	possibly vulnerable
vim	3.21-main	8.2.4173-r0	None	possibly vulnerable
vim	3.21-main	8.2.3779-r0	None	possibly vulnerable
vim	3.21-main	8.2.3650-r0	None	possibly vulnerable
vim	3.21-main	8.2.3567-r0	None	possibly vulnerable
vim	3.21-main	8.2.3500-r0	None	possibly vulnerable
vim	3.21-main	8.2.3437-r0	None	possibly vulnerable
vim	3.21-main	8.1.1365-r0	None	possibly vulnerable
vim	3.21-main	8.0.1521-r0	None	possibly vulnerable
vim	3.21-main	8.0.0329-r0	None	possibly vulnerable
vim	3.21-main	8.0.0056-r0	None	possibly vulnerable
vim	3.20-main	9.0.2127-r0	None	fixed
vim	3.20-main	9.0.2112-r0	None	possibly vulnerable
vim	3.20-main	9.0.2073-r0	None	possibly vulnerable
vim	3.20-main	9.0.1994-r0	None	possibly vulnerable
vim	3.20-main	9.0.1888-r0	None	possibly vulnerable
vim	3.20-main	9.0.1413-r0	None	possibly vulnerable
vim	3.20-main	9.0.1395-r0	None	possibly vulnerable
vim	3.20-main	9.0.1251-r0	None	possibly vulnerable
vim	3.20-main	9.0.1198-r0	None	possibly vulnerable
vim	3.20-main	9.0.1167-r0	None	possibly vulnerable
vim	3.20-main	9.0.0999-r0	None	possibly vulnerable
vim	3.20-main	9.0.0815-r0	None	possibly vulnerable
vim	3.20-main	9.0.0636-r0	None	possibly vulnerable
vim	3.20-main	9.0.0598-r0	None	possibly vulnerable
vim	3.20-main	9.0.0437-r0	None	possibly vulnerable
vim	3.20-main	9.0.0369-r0	None	possibly vulnerable
vim	3.20-main	9.0.0270-r0	None	possibly vulnerable
vim	3.20-main	9.0.0224-r0	None	possibly vulnerable
vim	3.20-main	9.0.0050-r0	None	possibly vulnerable
vim	3.20-main	8.2.5170-r0	None	possibly vulnerable
vim	3.20-main	8.2.5055-r0	None	possibly vulnerable
vim	3.20-main	8.2.5000-r0	None	possibly vulnerable
vim	3.20-main	8.2.4969-r0	None	possibly vulnerable
vim	3.20-main	8.2.4836-r0	None	possibly vulnerable
vim	3.20-main	8.2.4708-r0	None	possibly vulnerable
vim	3.20-main	8.2.4619-r0	None	possibly vulnerable
vim	3.20-main	8.2.4542-r0	None	possibly vulnerable
vim	3.20-main	8.2.4350-r0	None	possibly vulnerable
vim	3.20-main	8.2.4173-r0	None	possibly vulnerable
vim	3.20-main	8.2.3779-r0	None	possibly vulnerable
vim	3.20-main	8.2.3650-r0	None	possibly vulnerable
vim	3.20-main	8.2.3567-r0	None	possibly vulnerable
vim	3.20-main	8.2.3500-r0	None	possibly vulnerable
vim	3.20-main	8.2.3437-r0	None	possibly vulnerable
vim	3.20-main	8.1.1365-r0	None	possibly vulnerable
vim	3.20-main	8.0.1521-r0	None	possibly vulnerable
vim	3.20-main	8.0.0329-r0	None	possibly vulnerable
vim	3.20-main	8.0.0056-r0	None	possibly vulnerable
vim	3.19-main	9.0.2127-r0	Natanael Copa <ncopa@alpinelinux.org>	fixed
vim	3.19-main	9.0.2112-r0	None	possibly vulnerable
vim	3.19-main	9.0.2073-r0	None	possibly vulnerable
vim	3.19-main	9.0.1994-r0	None	possibly vulnerable
vim	3.19-main	9.0.1888-r0	None	possibly vulnerable
vim	3.19-main	9.0.1413-r0	None	possibly vulnerable
vim	3.19-main	9.0.1395-r0	None	possibly vulnerable
vim	3.19-main	9.0.1251-r0	None	possibly vulnerable
vim	3.19-main	9.0.1198-r0	None	possibly vulnerable
vim	3.19-main	9.0.1167-r0	None	possibly vulnerable
vim	3.19-main	9.0.0999-r0	None	possibly vulnerable
vim	3.19-main	9.0.0815-r0	None	possibly vulnerable
vim	3.19-main	9.0.0636-r0	None	possibly vulnerable
vim	3.19-main	9.0.0598-r0	None	possibly vulnerable
vim	3.19-main	9.0.0437-r0	None	possibly vulnerable
vim	3.19-main	9.0.0369-r0	None	possibly vulnerable
vim	3.19-main	9.0.0270-r0	None	possibly vulnerable
vim	3.19-main	9.0.0224-r0	None	possibly vulnerable
vim	3.19-main	9.0.0050-r0	None	possibly vulnerable
vim	3.19-main	8.2.5170-r0	None	possibly vulnerable
vim	3.19-main	8.2.5055-r0	None	possibly vulnerable
vim	3.19-main	8.2.5000-r0	None	possibly vulnerable
vim	3.19-main	8.2.4969-r0	None	possibly vulnerable
vim	3.19-main	8.2.4836-r0	None	possibly vulnerable
vim	3.19-main	8.2.4708-r0	None	possibly vulnerable
vim	3.19-main	8.2.4619-r0	None	possibly vulnerable
vim	3.19-main	8.2.4542-r0	None	possibly vulnerable
vim	3.19-main	8.2.4350-r0	None	possibly vulnerable
vim	3.19-main	8.2.4173-r0	None	possibly vulnerable
vim	3.19-main	8.2.3779-r0	None	possibly vulnerable
vim	3.19-main	8.2.3650-r0	None	possibly vulnerable
vim	3.19-main	8.2.3567-r0	None	possibly vulnerable
vim	3.19-main	8.2.3500-r0	None	possibly vulnerable
vim	3.19-main	8.2.3437-r0	None	possibly vulnerable
vim	3.19-main	8.1.1365-r0	None	possibly vulnerable
vim	3.19-main	8.0.1521-r0	None	possibly vulnerable
vim	3.19-main	8.0.0329-r0	None	possibly vulnerable
vim	3.19-main	8.0.0056-r0	None	possibly vulnerable
vim	3.18-main	9.0.2073-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable
vim	3.17-main	9.0.0999-r0	Natanael Copa <ncopa@alpinelinux.org>	possibly vulnerable

Source package

Branch

Version

Maintainer

Status

References

Match rules

Vulnerable and fixed packages