Double-Free Vulnerability in Vim Command Line Text Editor
CVE-2025-55158

6.9MEDIUM

Key Information:

Vendor

Vim

Status
Vim
Vendor
CVE Published:
11 August 2025

What is CVE-2025-55158?

Vim, an open source command line text editor, has a double-free vulnerability in versions from 9.1.1231 to before 9.1.1406. This flaw occurs when the editor processes nested tuples during Vim9 script import operations. An error during the evaluation can lead to a scenario where the clear_tv() function attempts to deallocate memory that has already been freed. This improper management of the internal typed value (typval_T) can be misused if a user opens and executes a specially crafted Vim script. The issue has been addressed in version 9.1.1406.

Affected Version(s)

vim >= 9.1.1231, < 9.1.1406

References

https://github.com/vim/vim/security/advisories/GHSA-5fg8-...
x_refsource_CONFIRM
https://github.com/vim/vim/commit/9772025d24e939fd84b8574...
x_refsource_MISC
https://github.com/vim/vim/releases/tag/v9.1.1406
x_refsource_MISC

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2025-55158 : Double-Free Vulnerability in Vim Command Line Text Editor