CVE-2023-48706

2023-11-2222:15:08

Debian Security Bug Tracker

security-tracker.debian.org

vim

unix

heap-use-after-free

vulnerability

fix

version 9.0.2121

4.7 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H

4.3 Medium

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

19.0%

JSON

Vim is a UNIX editor that, prior to version 9.0.2121, has a heap-use-after-free vulnerability. When executing a :s command for the very first time and using a sub-replace-special atom inside the substitution part, it is possible that the recursive :s call causes free-ing of memory which may later then be accessed by the initial :s command. The user must intentionally execute the payload and the whole process is a bit tricky to do since it seems to work only reliably for the very first :s command. It may also cause a crash of Vim. Version 9.0.2121 contains a fix for this issue.

OSVersionArchitecturePackageVersionFilename
Debian12allvim<= 2:9.0.1378-2vim_2:9.0.1378-2_all.deb
Debian11allvim<= 2:8.2.2434-3+deb11u1vim_2:8.2.2434-3+deb11u1_all.deb
Debian10allvim<= 2:8.1.0875-5+deb10u2vim_2:8.1.0875-5+deb10u2_all.deb
Debian999allvim< 2:9.0.2189-1vim_2:9.0.2189-1_all.deb
Debian13allvim< 2:9.0.2189-1vim_2:9.0.2189-1_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	vim	<= 2:9.0.1378-2	vim_2:9.0.1378-2_all.deb
Debian	11	all	vim	<= 2:8.2.2434-3+deb11u1	vim_2:8.2.2434-3+deb11u1_all.deb
Debian	10	all	vim	<= 2:8.1.0875-5+deb10u2	vim_2:8.1.0875-5+deb10u2_all.deb
Debian	999	all	vim	< 2:9.0.2189-1	vim_2:9.0.2189-1_all.deb
Debian	13	all	vim	< 2:9.0.2189-1	vim_2:9.0.2189-1_all.deb