Login Sign Up

CVE-2022-1381

7.8 HIGH
Remote Code Execution

📋 TL;DR

CVE-2022-1381 is a heap buffer overflow vulnerability in Vim's skip_range function that allows attackers to crash the application, bypass memory protections, modify memory, and potentially execute arbitrary code. This affects users running Vim versions prior to 8.2.4763. The vulnerability can be triggered by processing specially crafted files.

💻 Affected Systems

Products:
  • Vim
  • Neovim (if using vulnerable Vim components)
  • Applications embedding Vim
Versions: All versions prior to 8.2.4763
Operating Systems: Linux, Unix-like systems, Windows, macOS
Default Config Vulnerable: ⚠️ Yes
Notes: All standard installations are vulnerable. No special configuration required for exploitation.

📦 What is this software?

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Macos by Apple

macOS is Apple's desktop and laptop operating system powering Mac computers used by millions of professionals, developers, creative professionals, and enterprise users worldwide. Built on a Unix foundation with the Darwin kernel and modern Cocoa frameworks, macOS delivers a seamless ecosystem integr...

Learn more about Macos →

Vim by Vim

View all CVEs affecting Vim →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or persistent backdoor installation.

🟠

Likely Case

Application crash (denial of service) and potential memory corruption leading to information disclosure.

🟢

If Mitigated

Limited to application crash if exploit attempts are blocked by security controls or sandboxing.

🌐 Internet-Facing: MEDIUM - Requires user interaction (opening malicious file) but could be exploited via web interfaces or email attachments.
🏢 Internal Only: MEDIUM - Similar risk internally, though attack surface may be smaller than internet-facing systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires user to open a malicious file. Proof-of-concept code is publicly available in disclosure references.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 8.2.4763 and later

Vendor Advisory: https://github.com/vim/vim/commit/f50808ed135ab973296bca515ae4029b321afe47

Restart Required: No

Instructions:

1. Update Vim using your package manager (apt-get update && apt-get upgrade vim, yum update vim, etc.) 2. Or compile from source using the patched version from GitHub 3. Verify version with 'vim --version'

🔧 Temporary Workarounds

Disable vulnerable functionality

all

Restrict Vim's ability to process certain file types or disable vulnerable parsing features

# Consider using alternative editors for untrusted files
# Set vim to read-only mode for unknown files: vim -R

🧯 If You Can't Patch

  • Restrict Vim usage to trusted files only and implement application allowlisting
  • Implement network segmentation and monitor for suspicious Vim process behavior

🔍 How to Verify

Check if Vulnerable:

Run 'vim --version' and check if version is below 8.2.4763

Check Version:

vim --version | head -1

Verify Fix Applied:

Run 'vim --version' and confirm version is 8.2.4763 or higher

📡 Detection & Monitoring

Log Indicators:

  • Vim process crashes with segmentation faults
  • Abnormal memory usage patterns in Vim processes

Network Indicators:

  • Unusual file downloads followed by Vim execution
  • Network transfers of suspicious text files

SIEM Query:

Process:name=vim AND (EventID=1000 OR Signal=SIGSEGV) OR Process:parent_name=vim AND CommandLine:contains("suspicious_pattern")

📊 Metadata

CVE ID: CVE-2022-1381
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-122
Published: April 18, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-1381, you might also want to check these:

CVE-2021-21940 10.0

A heap-based buffer overflow vulnerability in Anker Eufy Homebase 2's RTSP handling allows remote co...

Same vulnerability type (CWE-122)
CVE-2023-45318 10.0

This critical vulnerability allows remote attackers to execute arbitrary code on systems running Wes...

Same vulnerability type (CWE-122)
CVE-2025-23123 10.0

A heap buffer overflow vulnerability in UniFi Protect Camera firmware allows remote code execution. ...

Same vulnerability type (CWE-122)