CVE-2025-55158

Vim is an open source, command line text editor. In versions from 9.1.1231 to before 9.1.1406, when processing nested tuples during Vim9 script import operations, an error during evaluation can trigger a double-free in Vim’s internal typed value (typval_T) management. Specifically, the clear_tv() function may attempt to free memory that has already been deallocated, due to improper lifetime handling in the handle_import / ex_import code paths. The vulnerability can only be triggered if a user explicitly opens and executes a specially crafted Vim script. This issue has been patched in version 9.1.1406.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/vim/vim/commit/9772025d24e939fd84b85748ce35c26874c05775	Patch
https://github.com/vim/vim/releases/tag/v9.1.1406	Patch
https://github.com/vim/vim/security/advisories/GHSA-5fg8-wvx3-583x	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:vim:vim:*:*:*:*:*:*:*:*

History

12 Aug 2025, 18:49

Type	Values Removed	Values Added
First Time		Vim vim Vim
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 8.8
CPE		cpe:2.3:a:vim:vim::::::::
References	~~() https://github.com/vim/vim/commit/9772025d24e939fd84b85748ce35c26874c05775 -~~	() https://github.com/vim/vim/commit/9772025d24e939fd84b85748ce35c26874c05775 - Patch
References	~~() https://github.com/vim/vim/releases/tag/v9.1.1406 -~~	() https://github.com/vim/vim/releases/tag/v9.1.1406 - Patch
References	~~() https://github.com/vim/vim/security/advisories/GHSA-5fg8-wvx3-583x -~~	() https://github.com/vim/vim/security/advisories/GHSA-5fg8-wvx3-583x - Vendor Advisory

12 Aug 2025, 14:25

Type	Values Removed	Values Added
Summary		(es) Vim es un editor de texto de línea de comandos de código abierto. En versiones desde la 9.1.1231 hasta anteriores a la 9.1.1406, al procesar tuplas anidadas durante las operaciones de importación de scripts de Vim9, un error durante la evaluación puede provocar una doble liberación en la gestión interna de valores tipificados (typval_T) de Vim. En concreto, la función clear_tv() puede intentar liberar memoria ya desasignada debido a una gestión incorrecta del tiempo de vida en las rutas de código handle_import / ex_import. La vulnerabilidad solo se activa si un usuario abre y ejecuta explícitamente un script de Vim especialmente manipulado. Este problema se ha corregido en la versión 9.1.1406.

11 Aug 2025, 23:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-08-11 23:15

Updated : 2025-08-12 18:49

NVD link : CVE-2025-55158

Mitre link : CVE-2025-55158

CVE.ORG link : CVE-2025-55158

JSON object : View

Products Affected

vim

CWE

CWE-415

Double Free

8.8 /10