Vim Use-After-Free Vulnerability in Tuple Evaluation

A heap use-after-free vulnerability has been identified in Vim versions 9.1.1231 prior to 9.1.1400. This issue arises when nested tuples are processed in Vim script, where an error during evaluation can lead to improper memory management. The 'tuple_unref()' function may inadvertently access freed memory, causing memory corruption. This vulnerability requires direct user interaction, as the script must be executed within Vim.

Impact

Exploitation of this vulnerability leads to a heap use-after-free condition, with the most likely outcome being a crash of the Vim application. However, the memory corruption could potentially be exploited for more severe consequences, depending on the environment where Vim is running.

Reproduction

The vulnerability can be reproduced by executing a Vim script that processes nested tuples and intentionally causes an evaluation error. This can be done by creating a recursive tuple that exceeds the evaluation limit, triggering the use-after-free condition.

Remediation

Users can upgrade to Vim version 9.1.1400 or later to address this vulnerability.