CVE-2022-0359 Overview
CVE-2022-0359 is a heap-based buffer overflow vulnerability affecting the Vim text editor prior to version 8.2. This memory corruption flaw occurs in the command-line input handling when processing files with large tabstop values in Ex mode. An attacker could craft a malicious file that, when opened by a victim using Vim, triggers illegal memory access leading to potential code execution or application crash.
Critical Impact
Successful exploitation could allow an attacker to execute arbitrary code with the privileges of the user running Vim, potentially leading to full system compromise if the user has elevated privileges.
Affected Products
- Vim versions prior to 8.2.4214
- Debian Linux 9.0 and 10.0
- Apple macOS (various versions)
Discovery Timeline
- 2022-01-26 - CVE-2022-0359 published to NVD
- 2025-11-03 - Last updated in NVD database
Technical Details for CVE-2022-0359
Vulnerability Analysis
The vulnerability stems from improper buffer allocation in Vim's Ex mode command-line handling. When a user opens a specially crafted file with an excessively large tabstop setting, the buffer allocation logic fails to account for the required space, resulting in a heap-based buffer overflow. The flaw is classified under CWE-122 (Heap-based Buffer Overflow) and CWE-787 (Out-of-bounds Write).
The attack requires local access and user interaction—specifically, the victim must open a malicious file using Vim. Once triggered, the vulnerability allows an attacker to corrupt heap memory, potentially overwriting critical data structures or function pointers, which could lead to arbitrary code execution.
Root Cause
The root cause lies in the alloc_cmdbuff() function within src/ex_getln.c. The original code allocated a fixed buffer size of 250 bytes when in Ex mode, regardless of the actual indent value. When processing files with large tabstop values that result in significant indentation, this fixed allocation proved insufficient, causing writes beyond the allocated heap buffer boundaries.
Attack Vector
Exploitation requires a local attack vector where the attacker must convince the victim to open a malicious file with Vim. The attack scenario involves:
- Attacker creates a specially crafted file with manipulated tabstop settings
- Victim opens the malicious file using Vim in Ex mode
- The large tabstop value causes buffer overflow during command-line processing
- Attacker achieves arbitrary code execution or denial of service
// Security patch from src/ex_getln.c
// Source: https://github.com/vim/vim/commit/85b6747abc15a7a81086db31289cf1b8b17e6cb1
ccline.cmdindent = (firstc > 0 ? indent : 0);
// alloc initial ccline.cmdbuff
- alloc_cmdbuff(exmode_active ? 250 : indent + 1);
+ alloc_cmdbuff(indent + 50);
if (ccline.cmdbuff == NULL)
return FAIL;
ccline.cmdlen = ccline.cmdpos = 0;
The patch replaces the conditional fixed-size allocation with a dynamic calculation based on the actual indent value plus a buffer margin, ensuring adequate memory is allocated regardless of the tabstop configuration.
Detection Methods for CVE-2022-0359
Indicators of Compromise
- Unexpected Vim process crashes or segmentation faults when opening files
- Abnormal memory consumption by Vim processes
- Core dump files generated during Vim sessions
- Files with unusually large or suspicious tabstop modeline configurations
Detection Strategies
- Monitor for Vim processes exhibiting memory access violations or crashes
- Implement file integrity monitoring for configuration files that may contain malicious modeline settings
- Deploy endpoint detection to identify exploitation attempts targeting text editors
- Use static analysis tools to scan files for suspicious Vim modeline configurations
Monitoring Recommendations
- Enable audit logging for Vim process executions and file access patterns
- Monitor system logs for segmentation faults related to Vim processes
- Track file downloads and email attachments with text file extensions that may contain exploit payloads
- Implement behavioral analysis to detect anomalous activity following Vim execution
How to Mitigate CVE-2022-0359
Immediate Actions Required
- Update Vim to version 8.2.4214 or later immediately
- Apply vendor-provided security patches for Debian and macOS systems
- Disable Vim modeline processing by adding set nomodeline to your vimrc configuration
- Avoid opening untrusted files with Vim until patched
Patch Information
The vulnerability has been addressed in Vim commit 85b6747 which is included in version 8.2.4214 and later. Additional vendor patches are available:
- Apple macOS: Security Update HT213444 and HT213488
- Debian: Security announcements available via Debian LTS
- Gentoo: GLSA 202208-32
Workarounds
- Add set nomodeline to your ~/.vimrc configuration to prevent automatic modeline processing
- Use alternative text editors for opening untrusted files until Vim can be updated
- Implement file type restrictions to prevent automatic processing of potentially malicious files
- Configure sandbox environments for handling files from untrusted sources
# Configuration example - Disable modeline processing
echo "set nomodeline" >> ~/.vimrc
# Verify Vim version is patched
vim --version | head -1
# Check for vulnerable Vim installations on the system
which vim && vim --version | grep "8.2" | head -1
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
