{"id":"CLSA-2026-1777540266","summary":"vim: Fix of 10 CVEs","details":"- CVE-2022-2182: in do_one_cmd(), after \";\" sets curwin-\u003ew_cursor.lnum\n  to ea.line2, call check_cursor() instead of check_cursor_lnum() so\n  the column is validated too, and fall back to check_cursor_col()\n  when ea.line2 is zero, preventing read past end-of-line on \":0;'{\".\n- CVE-2022-2206: in check_shellsize(), clamp cmdline_row and msg_row\n  to Rows - 1 after limit_screen_size() so a shrinking terminal\n  cannot leave those values referencing freed screen rows.\n- CVE-2022-2257: in str2special(), when the byte is single-byte set\n  *sp = str + (*str == NUL ? 0 : 1) so the caller cannot walk past\n  the terminating NUL when a menu item ends in a modifier-only key.\n- CVE-2022-2849: in latin_ptr2len()/dbcs_ptr2len(), return 0 when\n  *p == NUL so loops that advance by mb_ptr2len() cannot walk past\n  the NUL terminator (matches the contract documented in\n  src/globals.h).\n- CVE-2022-3352: in spell_load_lang(), snapshot curbuf before the\n  SpellFileMissing autocommand and break out of the retry loop if\n  the autocommand deleted/replaced curbuf, preventing a\n  use-after-free on the cached \"lang\"/\"curbuf\" pointer. Uses\n  sl.sl_lang (stack copy) for the apply_autocmds pattern to survive\n  buffer deletion.\n- CVE-2023-2609: in get_register() (ops.c), treat y_current-\u003ey_array\n  == NULL the same as y_size == 0 and set reg-\u003ey_array to NULL, so\n  an invalid/NULL register contents cannot be walked as a valid\n  string vector.\n- CVE-2021-3778: in find_match_text() (regexp_nfa.c), advance by\n  utf_ptr2len(regline + col + len2) under enc_utf8 instead of\n  MB_CHAR2LEN(c2), so an invalid UTF-8 byte cannot cause a read\n  past the end of the line.\n- CVE-2022-1616: in append_command() (ex_docmd.c), change the\n  buffer-space check to \"d - IObuff + 5 \u003c IOSIZE\" and skip copying\n  a multibyte character whose length would overrun IObuff, so an\n  invalid command with composing chars cannot overflow the error-\n  message buffer.\n- CVE-2022-1897: in undo_time() (undo.c), call text_locked() /\n  text_locked_msg() and return early, so :undo / :earlier / g-\n  cannot run while the text is locked (e.g. inside a :substitute\n  callback) and free a buffer the caller is still walking.\n- CVE-2022-2125: in get_lisp_indent() (misc1.c), after the\n  double-quoted-string skip loop break out of the outer scan loop\n  when *that is NUL so lisp indenting cannot walk past end-of-line\n  on an unterminated quote.","modified":"2026-05-27T11:34:01.466102732Z","published":"2026-04-30T09:11:11Z","upstream":["CVE-2021-3778","CVE-2022-1616","CVE-2022-1897","CVE-2022-2125","CVE-2022-2182","CVE-2022-2206","CVE-2022-2257","CVE-2022-2849","CVE-2022-3352","CVE-2023-2609"],"references":[{"type":"ADVISORY","url":"https://errata.tuxcare.com/els_os/oraclelinux7els/CLSA-2026-1777540266.html"}],"affected":[{"package":{"name":"vim-X11","ecosystem":"TuxCare:OracleLinux:7","purl":"pkg:rpm/tuxcare/vim-X11?distro=oraclelinux-7"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2:7.4.629-8.0.1.el7_9.tuxcare.els9"}]}],"database_specific":{"source":"https://github.com/cloudlinux/tuxcare-osv/tree/main/data/els_os/oraclelinux7els/CLSA-2026-1777540266.json"}},{"package":{"name":"vim-common","ecosystem":"TuxCare:OracleLinux:7","purl":"pkg:rpm/tuxcare/vim-common?distro=oraclelinux-7"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2:7.4.629-8.0.1.el7_9.tuxcare.els9"}]}],"database_specific":{"source":"https://github.com/cloudlinux/tuxcare-osv/tree/main/data/els_os/oraclelinux7els/CLSA-2026-1777540266.json"}},{"package":{"name":"vim-enhanced","ecosystem":"TuxCare:OracleLinux:7","purl":"pkg:rpm/tuxcare/vim-enhanced?distro=oraclelinux-7"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2:7.4.629-8.0.1.el7_9.tuxcare.els9"}]}],"database_specific":{"source":"https://github.com/cloudlinux/tuxcare-osv/tree/main/data/els_os/oraclelinux7els/CLSA-2026-1777540266.json"}},{"package":{"name":"vim-filesystem","ecosystem":"TuxCare:OracleLinux:7","purl":"pkg:rpm/tuxcare/vim-filesystem?distro=oraclelinux-7"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2:7.4.629-8.0.1.el7_9.tuxcare.els9"}]}],"database_specific":{"source":"https://github.com/cloudlinux/tuxcare-osv/tree/main/data/els_os/oraclelinux7els/CLSA-2026-1777540266.json"}},{"package":{"name":"vim-minimal","ecosystem":"TuxCare:OracleLinux:7","purl":"pkg:rpm/tuxcare/vim-minimal?distro=oraclelinux-7"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2:7.4.629-8.0.1.el7_9.tuxcare.els9"}]}],"database_specific":{"source":"https://github.com/cloudlinux/tuxcare-osv/tree/main/data/els_os/oraclelinux7els/CLSA-2026-1777540266.json"}}],"schema_version":"1.7.5"}