Executive Summary

[{'type': 'paragraph', 'content': "This vulnerability exists in Vim's NFA (Nondeterministic Finite Automaton) regex compiler when it processes a character range in a regular expression that ends with a combining Unicode character (a character that modifies the preceding base character). Instead of handling the combining character correctly, Vim emits its composing bytes as separate NFA states, which corrupts the internal NFA postfix stack."}, {'type': 'paragraph', 'content': 'This corruption causes the NFA_START_COLL state to have a NULL pointer where it expects a valid reference. Later, when Vim tries to estimate the match width for a look-behind assertion by traversing the compiled NFA, it dereferences this NULL pointer without checking, leading to a segmentation fault (crash).'}, {'type': 'paragraph', 'content': 'The issue affects Vim versions from 9.1.0011 up to but not including 9.2.0137 and was fixed in version 9.2.0137 by adjusting how the regex engine handles composing characters at the end of ranges to prevent stack corruption and crashes.'}] [2, 3]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can cause Vim to crash with a segmentation fault when processing certain crafted regular expressions containing ranges that end with combining characters.

An attacker or any user able to supply such a regex pattern (for example, through plugins or command-line arguments) can trigger this crash, resulting in a denial of service by causing the application to terminate unexpectedly.

The impact is classified as moderate with low confidentiality, integrity, and availability impacts, but it can disrupt workflows or automated processes relying on Vim.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability is triggered by supplying a regex pattern containing a character collection with a combining Unicode character as the endpoint of a character range (e.g., [0-0ֻ]) to Vim. Detection involves identifying if your Vim installation is a vulnerable version (from 9.1.0011 up to before 9.2.0137).'}, {'type': 'paragraph', 'content': 'To detect if your Vim version is vulnerable, you can check the installed version using the command:'}, {'type': 'list_item', 'content': 'vim --version'}, {'type': 'paragraph', 'content': 'If the version is between 9.1.0011 and before 9.2.0137, your Vim is vulnerable.'}, {'type': 'paragraph', 'content': 'To test if the vulnerability can be triggered, you might attempt to run a regex command in Vim that includes a range with a combining character endpoint, such as:'}, {'type': 'list_item', 'content': ":echo match('test', '[0-0ֻ]')"}, {'type': 'paragraph', 'content': 'If Vim crashes or segfaults during such a command, it indicates the vulnerability is present.'}] [2, 3]

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to upgrade Vim to version 9.2.0137 or later, where this vulnerability has been fixed.

Until the upgrade is applied, avoid using or processing regex patterns that include character collections with combining Unicode characters as endpoints of ranges, as these can trigger the crash.

Additionally, restrict untrusted users or processes from supplying arbitrary regex patterns to Vim, especially through plugins or command-line arguments.

Useful 0 Not Useful 0