CVE-2024-41957

Vim is an open source command line text editor. Vim < v9.1.0647 has double free in src/alloc.c:616. When closing a window, the corresponding tagstack data will be cleared and freed. However a bit later, the quickfix list belonging to that window will also be cleared and if that quickfix list points to the same tagstack data, Vim will try to free it again, resulting in a double-free/use-after-free access exception. Impact is low since the user must intentionally execute vim with several non-default flags, but it may cause a crash of Vim. The issue has been fixed as of Vim patch v9.1.0647

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.8 / Impact : 3.4

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://github.com/vim/vim/commit/8a0bbe7b8aad6f8da28dee218c01bc8a0185a	Patch
https://github.com/vim/vim/security/advisories/GHSA-f9cr-gv85-hcr4	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:vim:vim:*:*:*:*:*:*:*:*

History

09 Aug 2024, 14:14

Type	Values Removed	Values Added
First Time		Vim vim Vim
CVSS	v2 : ~~unknown~~ v3 : ~~4.5~~	v2 : unknown v3 : 5.3
CPE		cpe:2.3:a:vim:vim::::::::
References	~~() https://github.com/vim/vim/commit/8a0bbe7b8aad6f8da28dee218c01bc8a0185a -~~	() https://github.com/vim/vim/commit/8a0bbe7b8aad6f8da28dee218c01bc8a0185a - Patch
References	~~() https://github.com/vim/vim/security/advisories/GHSA-f9cr-gv85-hcr4 -~~	() https://github.com/vim/vim/security/advisories/GHSA-f9cr-gv85-hcr4 - Vendor Advisory

02 Aug 2024, 12:59

Type	Values Removed	Values Added
Summary		(es) Vim es un editor de texto de línea de comandos de código abierto. Vim

01 Aug 2024, 22:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-08-01 22:15

Updated : 2024-08-09 14:14

NVD link : CVE-2024-41957

Mitre link : CVE-2024-41957

CVE.ORG link : CVE-2024-41957

JSON object : View

Products Affected

vim

vim

CWE

CWE-415

Double Free

{"id": "CVE-2024-41957", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 3.4, "exploitabilityScore": 1.8}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 3.4, "exploitabilityScore": 1.0}]}, "published": "2024-08-01T22:15:29.367", "references": [{"url": "https://github.com/vim/vim/commit/8a0bbe7b8aad6f8da28dee218c01bc8a0185a", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/vim/vim/security/advisories/GHSA-f9cr-gv85-hcr4", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-415"}]}, {"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-415"}]}], "descriptions": [{"lang": "en", "value": "Vim is an open source command line text editor. Vim < v9.1.0647 has double free in src/alloc.c:616. When closing a window, the corresponding tagstack data will be cleared and freed. However a bit later, the quickfix list belonging to that window will also be cleared and if that quickfix list points to the same tagstack data, Vim will try to free it again, resulting in a double-free/use-after-free access exception. Impact is low since the user must intentionally execute vim with several non-default flags,\nbut it may cause a crash of Vim. The issue has been fixed as of Vim patch v9.1.0647"}, {"lang": "es", "value": "Vim es un editor de texto de l\u00ednea de comandos de c\u00f3digo abierto. Vim "}], "lastModified": "2024-08-09T14:14:01.190", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:vim:vim:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E45F378C-A666-4E59-AE67-FD0B7BEC9D24", "versionEndExcluding": "9.1.0647"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}