Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 22 Nov 2023 22:12:49 +0100
From: Christian Brabandt <>
To: oss-sec <>
Subject: [vim-security] use-after-free in ex_substitute in Vim < v9.0.2121

CVE-2023-48706: Use-After-Free in ex_substitute()
Date: 22.11.2023
Severity: Low

When executing a :s command for the very first time and using a 
sub-replace-special atom inside the substitution part, it is possible 
that the recursive :s call causes freeing of memory which may later then 
be accessed by the initial :s command.

Impact is low since the user must intentionally execute the payload and
the whole process is a bit tricky to do (since it seems to work only
reliably for the very first :s command). It may also cause a crash of 

The Vim project would like to thank github user gandalf4a for reporting 
this issue which is now fixed in Vim patch 9.0.2121.


Wie man sein Kind nicht nennen sollte: 
  Jupp Heidi 

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.