CVE-2024-43374

Name of the Vulnerable Software and Affected Versions Vim versions prior to 9.1.0678

Description The issue is related to a use-after-free error in argument list handling. When adding a new file to the argument list, it triggers Buf* autocommands. If in such an autocommand the buffer that was just opened is closed, this causes the window structure to be freed, which contains a reference to the argument list that is being modified. Once the autocommands are completed, the references to the window and argument list are no longer valid, causing a use-after-free. The impact is low, as the user must either intentionally add unusual autocommands that wipe a buffer during creation or source a malicious plugin, but it will crash Vim.

Recommendations For versions prior to 9.1.0678, update to Vim patch v9.1.0678 or later to fix the issue. As a temporary workaround, consider avoiding the use of Buf* autocommands that close the buffer during creation until a patch is available. Restrict access to malicious plugins that may exploit this issue to minimize the risk of exploitation.