Suyueguo

**Name of the Vulnerable Software and Affected Versions** Vim versions prior to 9.1.0707 **Description** Vim is an open source, command line text editor. A change in how the cursor position is calculated, made in patch v9.1.0038, removed a loop that verified the cursor position always points inside a line. This change made it possible for the cursor position to become invalid and point beyond the end of a line, potentially causing a heap-buffer-overflow when trying to access the line pointer at the specified cursor position. The only observed impact has been a program crash. It's not quite clear yet what can lead to this situation that the cursor points to an invalid position. **Recommendations** For versions prior to 9.1.0707, upgrade to the latest release to mitigate potential vulnerabilities. As a temporary workaround, consider disabling any features that may trigger the invalid cursor position until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Vim versions prior to 9.1.0697 **Description** The issue arises when flushing the typeahead buffer in Vim, as it moves the current position without checking for sufficient space to handle the next characters. This can lead to a heap-buffer overflow, for example, in the `ins typebuf()` function, causing a crash. The impact is considered low due to the difficulty in reproducing the issue, which seems to occur when error messages are combined with several long mappings, potentially moving the position out of the valid buffer size. **Recommendations** For versions prior to 9.1.0697, upgrade to Vim patch v9.1.0697 or later to resolve the issue. At the moment, there are no known workarounds for this issue.

**Name of the Vulnerable Software and Affected Versions** Vim versions prior to v9.1.0689 **Description** The issue is related to a buffer overflow in the Vim text editor. When the search-count message is disabled and right-left mode is enabled, the search pattern is reversed and allocated in a new buffer. If the search pattern contains ASCII NUL characters, the allocated buffer will be smaller than the original, causing an overflow when accessing characters inside the buffer. This can potentially impact the confidentiality, integrity, and availability of protected information. **Recommendations** For versions prior to v9.1.0689, update to Vim patch v9.1.0689 or later to resolve the issue. As a temporary workaround, consider disabling the right-left mode (:set norl) when performing searches to minimize the risk of exploitation. Additionally, avoid using search patterns that contain ASCII NUL characters until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Vim versions prior to 9.1.0678 **Description** The issue is related to a use-after-free error in argument list handling. When adding a new file to the argument list, it triggers `Buf*` autocommands. If in such an autocommand the buffer that was just opened is closed, this causes the window structure to be freed, which contains a reference to the argument list that is being modified. Once the autocommands are completed, the references to the window and argument list are no longer valid, causing a use-after-free. The impact is low, as the user must either intentionally add unusual autocommands that wipe a buffer during creation or source a malicious plugin, but it will crash Vim. **Recommendations** For versions prior to 9.1.0678, update to Vim patch v9.1.0678 or later to fix the issue. As a temporary workaround, consider avoiding the use of `Buf*` autocommands that close the buffer during creation until a patch is available. Restrict access to malicious plugins that may exploit this issue to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Vim versions prior to 9.1.0648 **Description** The issue arises from a double-free error in the `dialog changed()` function when abandoning a buffer. If a user chooses to save a modified buffer without a name, Vim may create a new Untitled file. However, when setting the buffer name to Unnamed, Vim falsely frees a pointer twice, leading to a double-free and possibly a heap-use-after-free, which can cause a crash. **Recommendations** For versions prior to 9.1.0648, update to Vim patch v9.1.0648 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Vim versions prior to 9.1.0647 **Description** The issue exists due to a double-free error in the src/alloc.c file, specifically in the tagstack clear entry() function. When a window is closed, the corresponding tagstack data is cleared and freed. However, if the quickfix list belonging to that window points to the same tagstack data, Vim will attempt to free it again, resulting in a double-free/use-after-free access exception. The impact is low, as the user must intentionally execute Vim with several non-default flags, but it may cause a crash of Vim. **Recommendations** To resolve the issue, update to Vim version 9.1.0647 or later. As a temporary workaround, consider avoiding the use of non-default flags when executing Vim until a patch is applied.