CLSA-2026-1777558504
See a problem?- Import Source
- https://github.com/cloudlinux/tuxcare-osv/tree/main/data/els_os/centos7els/CLSA-2026-1777558504.json
- JSON Data
- https://api.osv.dev/v1/vulns/CLSA-2026-1777558504
- Upstream
- Published
- 2026-05-05T21:11:17Z
- Modified
- 2026-06-01T00:33:18.677667356Z
- Summary
- vim: Fix of 10 CVEs
- Details
-
- CVE-2021-3928: in suggesttriewalk() only credit a non-word-char boundary with SCORE_NONWORD when preword is non-empty, so spell suggestions do not read uninitialized memory behind preword.
- CVE-2021-3974: in nfaregmatch() NFAMARK / NFAMARKGT / NFAMARKLT, save reginput - regline and re-fetch regline via reggetline() after getmarkbuf() so use-after-free cannot occur when getmark_buf flushes the current line.
- CVE-2022-0368: call checkpos(curbuf, &VIsual) at the end of uundoend() when Visual mode is active, so an undo that shortens the buffer cannot leave VIsual pointing past end-of-line / end- of-buffer. Adds a checkpos() helper in misc2.c.
- CVE-2022-0696: in winnewtabpage() and gototabpagetp(), refuse to switch/create a tabpage while cmdwintype != 0, emitting ecmdwin instead of crashing on cmdline-window re-entry.
- CVE-2022-1629: in findnextquote(), after advancing past an escape character return -1 if the next byte is NUL so a trailing backslash cannot be read past end-of-line.
- CVE-2022-1735: call new checkvisualpos() helper from changedcommon() (misc1.c) and stopinsert() (edit.c) whenever Visual mode is active so a change that shrinks the buffer cannot leave VIsual pointing past end-of-line / end-of-buffer.
- CVE-2022-1771: cap getcmdline() recursion at 50 via a static depth counter, emitting E169 "Command too recursive" on overflow to prevent crash from self-recursive cmdline input (e.g. the "=@" register loop).
- CVE-2022-1898: in nvbrackets(), copy the identifier under the cursor with vimstrnsave() before calling findpatternin_path() for "]d"/"[d", so that a match in a modified/freed line cannot cause a use-after-free on ptr.
- CVE-2022-1968: add getlineandcopy() helper in search.c and use it instead of mlget() in findpatternin_path(), so the regexp cannot leave line pointing into freed buffer memory when a mark invalidates the current line.
- CVE-2022-2124: in currentquote() (search.c), break out of the selection-scan loop when line[i] is NUL so a changed line does not cause a read past end-of-line while iterating up to colend.
- References
Affected packages
TuxCare:CentOS:7 / vim-X11
Package
- Name
- vim-X11
- Purl
- pkg:rpm/tuxcare/vim-X11?distro=centos-7
TuxCare:CentOS:7 / vim-common
Package
- Name
- vim-common
- Purl
- pkg:rpm/tuxcare/vim-common?distro=centos-7
TuxCare:CentOS:7 / vim-enhanced
Package
- Name
- vim-enhanced
- Purl
- pkg:rpm/tuxcare/vim-enhanced?distro=centos-7
TuxCare:CentOS:7 / vim-filesystem
Package
- Name
- vim-filesystem
- Purl
- pkg:rpm/tuxcare/vim-filesystem?distro=centos-7