CVE-2025-55158

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2025-55158
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-55158.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-55158
Aliases
  • GHSA-5fg8-wvx3-583x
Downstream
Related
Published
2025-08-11T22:54:12.015Z
Modified
2025-12-05T10:20:22.998860Z
Severity
  • 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
Vim double-free vulnerability during Vim9 script import operations
Details

Vim is an open source, command line text editor. In versions from 9.1.1231 to before 9.1.1406, when processing nested tuples during Vim9 script import operations, an error during evaluation can trigger a double-free in Vim’s internal typed value (typvalT) management. Specifically, the cleartv() function may attempt to free memory that has already been deallocated, due to improper lifetime handling in the handleimport / eximport code paths. The vulnerability can only be triggered if a user explicitly opens and executes a specially crafted Vim script. This issue has been patched in version 9.1.1406.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/55xxx/CVE-2025-55158.json",
    "cwe_ids": [
        "CWE-415"
    ],
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/vim/vim

Affected ranges

Type
GIT
Repo
https://github.com/vim/vim
Events
Introduced
4e7b4308fb92628434bd7e07ab92910c33051431
Fixed
9772025d24e939fd84b85748ce35c26874c05775

Affected versions

v9.*

v9.1.1231
v9.1.1232
v9.1.1233
v9.1.1234
v9.1.1235
v9.1.1236
v9.1.1237
v9.1.1238
v9.1.1239
v9.1.1240
v9.1.1241
v9.1.1242
v9.1.1243
v9.1.1244
v9.1.1245
v9.1.1246
v9.1.1247
v9.1.1248
v9.1.1249
v9.1.1250
v9.1.1251
v9.1.1252
v9.1.1253
v9.1.1254
v9.1.1255
v9.1.1256
v9.1.1257
v9.1.1258
v9.1.1259
v9.1.1260
v9.1.1261
v9.1.1262
v9.1.1263
v9.1.1264
v9.1.1265
v9.1.1266
v9.1.1267
v9.1.1268
v9.1.1269
v9.1.1270
v9.1.1271
v9.1.1272
v9.1.1273
v9.1.1274
v9.1.1275
v9.1.1276
v9.1.1277
v9.1.1278
v9.1.1279
v9.1.1280
v9.1.1281
v9.1.1282
v9.1.1283
v9.1.1284
v9.1.1285
v9.1.1286
v9.1.1287
v9.1.1288
v9.1.1289
v9.1.1290
v9.1.1291
v9.1.1292
v9.1.1293
v9.1.1294
v9.1.1295
v9.1.1296
v9.1.1297
v9.1.1298
v9.1.1299
v9.1.1300
v9.1.1301
v9.1.1302
v9.1.1303
v9.1.1304
v9.1.1305
v9.1.1306
v9.1.1307
v9.1.1308
v9.1.1309
v9.1.1310
v9.1.1311
v9.1.1312
v9.1.1313
v9.1.1314
v9.1.1315
v9.1.1316
v9.1.1317
v9.1.1318
v9.1.1319
v9.1.1320
v9.1.1321
v9.1.1322
v9.1.1323
v9.1.1324
v9.1.1325
v9.1.1326
v9.1.1327
v9.1.1328
v9.1.1329
v9.1.1330
v9.1.1331
v9.1.1332
v9.1.1333
v9.1.1334
v9.1.1335
v9.1.1336
v9.1.1337
v9.1.1338
v9.1.1339
v9.1.1340
v9.1.1341
v9.1.1342
v9.1.1343
v9.1.1344
v9.1.1345
v9.1.1346
v9.1.1347
v9.1.1348
v9.1.1349
v9.1.1350
v9.1.1351
v9.1.1352
v9.1.1353
v9.1.1354
v9.1.1355
v9.1.1356
v9.1.1357
v9.1.1358
v9.1.1359
v9.1.1360
v9.1.1361
v9.1.1362
v9.1.1363
v9.1.1364
v9.1.1365
v9.1.1366
v9.1.1367
v9.1.1368
v9.1.1369
v9.1.1370
v9.1.1371
v9.1.1372
v9.1.1373
v9.1.1374
v9.1.1375
v9.1.1376
v9.1.1377
v9.1.1378
v9.1.1379
v9.1.1380
v9.1.1381
v9.1.1382
v9.1.1383
v9.1.1384
v9.1.1385
v9.1.1386
v9.1.1387
v9.1.1388
v9.1.1389
v9.1.1390
v9.1.1391
v9.1.1393
v9.1.1394
v9.1.1395
v9.1.1396
v9.1.1397
v9.1.1398
v9.1.1399
v9.1.1400
v9.1.1401
v9.1.1402
v9.1.1403
v9.1.1404
v9.1.1405

Database specific

vanir_signatures

[
    {
        "target": {
            "file": "src/tuple.c"
        },
        "deprecated": false,
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "264056921112503077838019307917712489603",
                "98039574633754904792445237746817362236",
                "144690407749804281781939825612202061205",
                "259523202800334028870173037037971902675"
            ]
        },
        "id": "CVE-2025-55158-1754f6ae",
        "signature_version": "v1",
        "source": "https://github.com/vim/vim/commit/9772025d24e939fd84b85748ce35c26874c05775",
        "signature_type": "Line"
    },
    {
        "target": {
            "function": "eval_tuple",
            "file": "src/tuple.c"
        },
        "deprecated": false,
        "digest": {
            "function_hash": "189040626709961497407730106186128866770",
            "length": 1856.0
        },
        "id": "CVE-2025-55158-2f5a9065",
        "signature_version": "v1",
        "source": "https://github.com/vim/vim/commit/9772025d24e939fd84b85748ce35c26874c05775",
        "signature_type": "Function"
    },
    {
        "target": {
            "file": "src/version.c"
        },
        "deprecated": false,
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "146200493773228420153804765641940418619",
                "164616141093816496504178600515648151123",
                "320242800671043206243775580369137325670",
                "302790001417888419839767838546672565737"
            ]
        },
        "id": "CVE-2025-55158-b8549c83",
        "signature_version": "v1",
        "source": "https://github.com/vim/vim/commit/9772025d24e939fd84b85748ce35c26874c05775",
        "signature_type": "Line"
    }
]