CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-24014: segmentation fault in win_line() in Vim < 9.1.1043

4.2 CVSS

Description

Vim is an open source, command line text editor. A segmentation fault was found in Vim before 9.1.1043. In silent Ex mode (-s -e), Vim typically doesn't show a screen and just operates silently in batch mode. However, it is still possible to trigger the function that handles the scrolling of a gui version of Vim by feeding some binary characters to Vim. The function that handles the scrolling however may be triggering a redraw, which will access the ScreenLines pointer, even so this variable hasn't been allocated (since there is no screen). This vulnerability is fixed in 9.1.1043.

Classification

CVE ID: CVE-2025-24014

CVSS Base Severity: MEDIUM

CVSS Base Score: 4.2

Affected Products

Vendor: vim

Product: vim

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.04% (probability of being exploited)

EPSS Percentile: 11.68% (scored less or equal to compared to others)

EPSS Date: 2025-02-18 (when was this score calculated)

References

https://github.com/vim/vim/security/advisories/GHSA-j3g9-wg22-v955
https://github.com/vim/vim/commit/9d1bed5eccdbb46a26b8a484f5e9163c40e63919

Timeline

2025-01-21 00:33:23 UTC
CVE

segmentation fault in win_line() in Vim < 9.1.1043
2025-01-30 09:00:22 UTC
Tenable Plugins

CBL Mariner 2.0 Security Update: vim (CVE-2025-24014)
2025-02-26 10:46:32 UTC
Tenable Plugins

Amazon Linux 2 : vim (ALAS-2025-2753)