Use-After-Free Vulnerability in Vim Editor by Vim Team
CVE-2025-26603

4.2MEDIUM

Key Information:

Vendor: Vim
Status: Vim
Vendor: CVE Published:; 18 February 2025

What is CVE-2025-26603?

Vim suffers from a use-after-free vulnerability due to improper handling of register content when redirecting output using the ':display' command. This flaw occurs when Vim attempts to free the contents of a register that is being displayed simultaneously. The vulnerability particularly affects the handling of the '+'' and '*' registers, which are associated with clipboard functionality. Upgrading to Patch 9.1.1115 is crucial, as it corrects the redirect behavior to prevent misuse of register zero when the clipboard registers are in use. Unfortunately, no workarounds are available, making an immediate update imperative for users.

Affected Version(s)

vim < 9.1.1115

References

https://github.com/vim/vim/security/advisories/GHSA-63p5-...

x_refsource_CONFIRM

https://github.com/vim/vim/commit/c0f0e2380e5954f4a52a131...

x_refsource_MISC

CVSS V3.1

Score:

4.2

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 18, 2025
Vulnerability Reserved
Feb 12, 2025