CVE-2024-43790 (GCVE-0-2024-43790)

Vulnerability from cvelistv5 – Published: 2024-08-22 21:23 – Updated: 2024-09-20 16:03
VLAI
Title
heap-buffer-overflow in do_search() in Vim < 9.1.0689
Summary
Vim is an open source command line text editor. When performing a search and displaying the search-count message is disabled (:set shm+=S), the search pattern is displayed at the bottom of the screen in a buffer (msgbuf). When right-left mode (:set rl) is enabled, the search pattern is reversed. This happens by allocating a new buffer. If the search pattern contains some ASCII NUL characters, the buffer allocated will be smaller than the original allocated buffer (because for allocating the reversed buffer, the strlen() function is called, which only counts until it notices an ASCII NUL byte ) and thus the original length indicator is wrong. This causes an overflow when accessing characters inside the msgbuf by the previously (now wrong) length of the msgbuf. The issue has been fixed as of Vim patch v9.1.0689.
Severity
4.5 (Medium)
CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-122 - Heap-based Buffer Overflow
Assigner
References
Impacted products
Vendor Product Version
vim vim Affected: < v9.1.0689
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-43790",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-08-23T16:42:30.460971Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-08-23T16:42:39.434Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-09-20T16:03:12.105Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://security.netapp.com/advisory/ntap-20240920-0005/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "vim",
          "vendor": "vim",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c v9.1.0689"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Vim is an open source command line text editor. When performing a search and displaying the search-count message is disabled (:set shm+=S), the search pattern is displayed at the bottom of the screen in a buffer (msgbuf). When right-left mode (:set rl) is enabled, the search pattern is reversed. This happens by allocating a new buffer. If the search pattern contains some ASCII NUL characters, the buffer allocated will be smaller than the original allocated buffer (because for allocating the reversed buffer, the strlen() function is called, which only counts until it notices an ASCII NUL byte ) and thus the original length indicator is wrong. This causes an overflow when accessing characters inside the msgbuf by the previously (now wrong) length of the msgbuf. The issue has been fixed as of Vim patch v9.1.0689."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "availabilityImpact": "LOW",
            "baseScore": 4.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-122",
              "description": "CWE-122: Heap-based Buffer Overflow",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-08-22T21:23:07.797Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/vim/vim/security/advisories/GHSA-v2x2-cjcg-f9jm",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/vim/vim/security/advisories/GHSA-v2x2-cjcg-f9jm"
        },
        {
          "name": "https://github.com/vim/vim/commit/cacb6693c10bb19f28a50eca47bc",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/vim/vim/commit/cacb6693c10bb19f28a50eca47bc"
        }
      ],
      "source": {
        "advisory": "GHSA-v2x2-cjcg-f9jm",
        "discovery": "UNKNOWN"
      },
      "title": "heap-buffer-overflow in do_search() in Vim \u003c 9.1.0689"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-43790",
    "datePublished": "2024-08-22T21:23:07.797Z",
    "dateReserved": "2024-08-16T14:20:37.323Z",
    "dateUpdated": "2024-09-20T16:03:12.105Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2024-43790",
      "date": "2026-06-06",
      "epss": "0.0006",
      "percentile": "0.18945"
    },
    "fkie_nvd": {
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Vim is an open source command line text editor. When performing a search and displaying the search-count message is disabled (:set shm+=S), the search pattern is displayed at the bottom of the screen in a buffer (msgbuf). When right-left mode (:set rl) is enabled, the search pattern is reversed. This happens by allocating a new buffer. If the search pattern contains some ASCII NUL characters, the buffer allocated will be smaller than the original allocated buffer (because for allocating the reversed buffer, the strlen() function is called, which only counts until it notices an ASCII NUL byte ) and thus the original length indicator is wrong. This causes an overflow when accessing characters inside the msgbuf by the previously (now wrong) length of the msgbuf. The issue has been fixed as of Vim patch v9.1.0689.\"}, {\"lang\": \"es\", \"value\": \"Vim es un editor de texto de l\\u00ednea de comandos de c\\u00f3digo abierto. Cuando se realiza una b\\u00fasqueda y se deshabilita la visualizaci\\u00f3n del mensaje de recuento de b\\u00fasqueda (:set shm+=S), el patr\\u00f3n de b\\u00fasqueda se muestra en la parte inferior de la pantalla en un b\\u00fafer (msgbuf). Cuando el modo derecha-izquierda (:set rl) est\\u00e1 habilitado, el patr\\u00f3n de b\\u00fasqueda se invierte. Esto sucede asignando un nuevo b\\u00fafer. Si el patr\\u00f3n de b\\u00fasqueda contiene algunos caracteres ASCII NUL, el b\\u00fafer asignado ser\\u00e1 m\\u00e1s peque\\u00f1o que el b\\u00fafer asignado original (porque para asignar el b\\u00fafer invertido, se llama a la funci\\u00f3n strlen(), que solo cuenta hasta que detecta un byte ASCII NUL) y por lo tanto el indicador de longitud original es incorrecto. Esto provoca un desbordamiento al acceder a caracteres dentro del msgbuf por la longitud anterior (ahora incorrecta) del msgbuf. El problema se solucion\\u00f3 a partir del parche Vim v9.1.0689.\"}]",
      "id": "CVE-2024-43790",
      "lastModified": "2024-11-21T09:35:52.580",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L\", \"baseScore\": 4.5, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"LOW\"}, \"exploitabilityScore\": 1.0, \"impactScore\": 3.4}]}",
      "published": "2024-08-22T22:15:05.317",
      "references": "[{\"url\": \"https://github.com/vim/vim/commit/cacb6693c10bb19f28a50eca47bc\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://github.com/vim/vim/security/advisories/GHSA-v2x2-cjcg-f9jm\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://security.netapp.com/advisory/ntap-20240920-0005/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
      "sourceIdentifier": "security-advisories@github.com",
      "vulnStatus": "Awaiting Analysis",
      "weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-122\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-43790\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-08-22T22:15:05.317\",\"lastModified\":\"2025-08-18T17:08:16.193\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Vim is an open source command line text editor. When performing a search and displaying the search-count message is disabled (:set shm+=S), the search pattern is displayed at the bottom of the screen in a buffer (msgbuf). When right-left mode (:set rl) is enabled, the search pattern is reversed. This happens by allocating a new buffer. If the search pattern contains some ASCII NUL characters, the buffer allocated will be smaller than the original allocated buffer (because for allocating the reversed buffer, the strlen() function is called, which only counts until it notices an ASCII NUL byte ) and thus the original length indicator is wrong. This causes an overflow when accessing characters inside the msgbuf by the previously (now wrong) length of the msgbuf. The issue has been fixed as of Vim patch v9.1.0689.\"},{\"lang\":\"es\",\"value\":\"Vim es un editor de texto de l\u00ednea de comandos de c\u00f3digo abierto. Cuando se realiza una b\u00fasqueda y se deshabilita la visualizaci\u00f3n del mensaje de recuento de b\u00fasqueda (:set shm+=S), el patr\u00f3n de b\u00fasqueda se muestra en la parte inferior de la pantalla en un b\u00fafer (msgbuf). Cuando el modo derecha-izquierda (:set rl) est\u00e1 habilitado, el patr\u00f3n de b\u00fasqueda se invierte. Esto sucede asignando un nuevo b\u00fafer. Si el patr\u00f3n de b\u00fasqueda contiene algunos caracteres ASCII NUL, el b\u00fafer asignado ser\u00e1 m\u00e1s peque\u00f1o que el b\u00fafer asignado original (porque para asignar el b\u00fafer invertido, se llama a la funci\u00f3n strlen(), que solo cuenta hasta que detecta un byte ASCII NUL) y por lo tanto el indicador de longitud original es incorrecto. Esto provoca un desbordamiento al acceder a caracteres dentro del msgbuf por la longitud anterior (ahora incorrecta) del msgbuf. El problema se solucion\u00f3 a partir del parche Vim v9.1.0689.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L\",\"baseScore\":4.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":1.0,\"impactScore\":3.4},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-122\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:vim:vim:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"9.1.0425\",\"versionEndExcluding\":\"9.1.0689\",\"matchCriteriaId\":\"53675F8E-4C3F-403E-B421-9FB5B2BA4DF6\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:netapp:bootstrap_os:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"95BA156C-C977-4F0C-8DFB-3FAE9CC8C02D\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:netapp:hci_compute_node:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"AD7447BC-F315-4298-A822-549942FC118B\"}]}]}],\"references\":[{\"url\":\"https://github.com/vim/vim/commit/cacb6693c10bb19f28a50eca47bc\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/vim/vim/security/advisories/GHSA-v2x2-cjcg-f9jm\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://security.netapp.com/advisory/ntap-20240920-0005/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://security.netapp.com/advisory/ntap-20240920-0005/\"}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-09-20T16:03:12.105Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-43790\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-08-23T16:42:30.460971Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-08-23T16:42:35.521Z\"}}], \"cna\": {\"title\": \"heap-buffer-overflow in do_search() in Vim \u003c 9.1.0689\", \"source\": {\"advisory\": \"GHSA-v2x2-cjcg-f9jm\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 4.5, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"vim\", \"product\": \"vim\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c v9.1.0689\"}]}], \"references\": [{\"url\": \"https://github.com/vim/vim/security/advisories/GHSA-v2x2-cjcg-f9jm\", \"name\": \"https://github.com/vim/vim/security/advisories/GHSA-v2x2-cjcg-f9jm\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/vim/vim/commit/cacb6693c10bb19f28a50eca47bc\", \"name\": \"https://github.com/vim/vim/commit/cacb6693c10bb19f28a50eca47bc\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Vim is an open source command line text editor. When performing a search and displaying the search-count message is disabled (:set shm+=S), the search pattern is displayed at the bottom of the screen in a buffer (msgbuf). When right-left mode (:set rl) is enabled, the search pattern is reversed. This happens by allocating a new buffer. If the search pattern contains some ASCII NUL characters, the buffer allocated will be smaller than the original allocated buffer (because for allocating the reversed buffer, the strlen() function is called, which only counts until it notices an ASCII NUL byte ) and thus the original length indicator is wrong. This causes an overflow when accessing characters inside the msgbuf by the previously (now wrong) length of the msgbuf. The issue has been fixed as of Vim patch v9.1.0689.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-122\", \"description\": \"CWE-122: Heap-based Buffer Overflow\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-08-22T21:23:07.797Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-43790\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-09-20T16:03:12.105Z\", \"dateReserved\": \"2024-08-16T14:20:37.323Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2024-08-22T21:23:07.797Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.