Vim Double-Free Vulnerability in Typed Value Management

A double-free vulnerability has been identified in Vim versions 9.1.1231 prior to 9.1.1406. This issue arises during the processing of nested tuples in Vim9 script imports, where an evaluation error can lead to improper memory management. The clear_tv() function may attempt to deallocate memory that has already been freed, creating a potential for memory corruption. This vulnerability can only be exploited if a user manually executes a specially crafted Vim script.

Impact

Exploitation of this vulnerability leads to a denial-of-service condition by causing the application to crash. However, due to the nature of memory corruption, it could potentially be exploited for more severe consequences, depending on the execution environment.

Reproduction

The vulnerability can be reproduced by importing a specially crafted Vim9 script that contains nested tuples. This script should be designed to trigger an evaluation error, which will cause the double-free condition in Vim's typed value management.

Remediation

Users can upgrade to Vim version 9.1.1406 or later to address this vulnerability.