CLSA-2026-1777476716
See a problem?- Import Source
- https://github.com/cloudlinux/tuxcare-osv/tree/main/data/els_os/oraclelinux7els/CLSA-2026-1777476716.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CLSA-2026-1777476716
- Upstream
- Published
- 2026-05-06T08:12:06Z
- Modified
- 2026-05-27T11:18:28.146790192Z
- Summary
- vim: Fix of 8 CVEs
- Details
-
- CVE-2021-4019: replace the unbounded STRCPY pair in findhelptags() with vim_snprintf bounded by IOSIZE to prevent heap buffer overflow with long :help arguments starting with "\%_z@".
- CVE-2021-4192: re-fetch regline/reginput via reggetline() after getvvcol() in regmatch_visual() so the cached line pointer cannot become a use-after-free when getvvcol flushes the line buffer.
- CVE-2021-4193: clamp pos->col to the first NUL in getvcol() so /\%V searches cannot read past the end of the line.
- CVE-2022-1720: in getvisualtext(), drop a trailing NUL from non-mbyte selection length and guard the mbyte correction with *lenp > 0 so "gf" in Visual block mode does not read past the line.
- CVE-2022-2126: also require sp->tsfidx > 0 before decrementing tsfidx in the DIFFINSERT branch of suggesttrie_walk() so spell suggestion cannot read before the start of the bad-word buffer.
- CVE-2022-2210: initialise off = 0 at the top of the deleted > 0 branch of diffmarkadjust_tp() and only compute the real offset in the "5. delete lines at or just before top of diff" case, so a diff-block full-delete does not use a stale offset.
- CVE-2022-2285: place a NUL terminator at tp[len] before key-name matching in check_termcode() so crafted typeahead cannot be read past the end of the buffer.
- CVE-2022-2345: always vimstrsave(newsub) into regprevsub in regtilde() and track an allocated regtilde result in subcopy in do_sub() so a recursive :s cannot use freed memory.
- References