CVE-2024-22667
📋 TL;DR
CVE-2024-22667 is a stack-based buffer overflow vulnerability in Vim's map.c file where the did_set_langmap function uses sprintf to write to an error buffer, potentially allowing arbitrary code execution. This affects users running Vim versions before 9.0.2142. Attackers could exploit this by tricking users into opening malicious files or using crafted language map configurations.
💻 Affected Systems
- Vim
📦 What is this software?
Fedora by Fedoraproject
Fedora by Fedoraproject
Vim by Vim
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution with the privileges of the Vim user, potentially leading to full system compromise if Vim is run with elevated privileges.
Likely Case
Local privilege escalation or arbitrary code execution when users open malicious files or use crafted language map configurations.
If Mitigated
Denial of service or application crash if exploit attempts fail or are blocked by security controls.
🎯 Exploit Status
Proof of concept code is publicly available in the GitHub gist reference. Exploitation requires user interaction (opening files or using language maps).
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 9.0.2142 and later
Vendor Advisory: https://github.com/vim/vim/commit/b39b240c386a5a29241415541f1c99e2e6b8ce47
Restart Required: No
Instructions:
1. Update Vim to version 9.0.2142 or later using your system's package manager. 2. For Linux: Use 'sudo apt update && sudo apt upgrade vim' (Debian/Ubuntu) or 'sudo yum update vim' (RHEL/CentOS). 3. For source installations: Download latest source from vim.org and compile.
🔧 Temporary Workarounds
Disable language map functionality
allPrevents triggering the vulnerable code path by disabling language map support
Add 'set nolangmap' to your .vimrc file
Restrict Vim usage
linuxLimit Vim usage to trusted users and environments
Use apparmor/selinux profiles to restrict Vim
Implement least privilege for Vim users
🧯 If You Can't Patch
- Implement strict file handling policies - only open files from trusted sources
- Use alternative text editors until patching is possible
🔍 How to Verify
Check if Vulnerable:
Run 'vim --version' and check if version is below 9.0.2142Check Version:
vim --version | head -1Verify Fix Applied:
Run 'vim --version' and confirm version is 9.0.2142 or higher📡 Detection & Monitoring
Log Indicators:
- Vim crash logs
- Segmentation fault errors in system logs
- Unusual process spawning from Vim
Network Indicators:
- Unusual file transfers initiated by Vim process
- Outbound connections from Vim
SIEM Query:
process_name:vim AND (event_type:crash OR exit_code:139 OR exit_code:11)🔗 References
- https://gist.githubusercontent.com/henices/2467e7f22dcc2aa97a2453e197b55a0c/raw/7b54bccc9a129c604fb139266f4497ab7aaa94c7/gistfile1.txt
- https://github.com/vim/vim/commit/b39b240c386a5a29241415541f1c99e2e6b8ce47
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UI44Y4LJLG34D4HNB6NTPLUPZREHAEL7/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UIQLVUSYHDN3644K6EFDI7PRZOTIKXM3/
- https://security.netapp.com/advisory/ntap-20240223-0008/
- https://gist.githubusercontent.com/henices/2467e7f22dcc2aa97a2453e197b55a0c/raw/7b54bccc9a129c604fb139266f4497ab7aaa94c7/gistfile1.txt
- https://github.com/vim/vim/commit/b39b240c386a5a29241415541f1c99e2e6b8ce47
- https://lists.debian.org/debian-lts-announce/2025/03/msg00023.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UI44Y4LJLG34D4HNB6NTPLUPZREHAEL7/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UIQLVUSYHDN3644K6EFDI7PRZOTIKXM3/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UI44Y4LJLG34D4HNB6NTPLUPZREHAEL7/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UIQLVUSYHDN3644K6EFDI7PRZOTIKXM3/
- https://security.netapp.com/advisory/ntap-20240223-0008/
