CLSA-2026-1777540266
See a problem?- Import Source
- https://github.com/cloudlinux/tuxcare-osv/tree/main/data/els_os/oraclelinux7els/CLSA-2026-1777540266.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CLSA-2026-1777540266
- Upstream
- Published
- 2026-04-30T09:11:11Z
- Modified
- 2026-05-27T11:34:01.466102732Z
- Summary
- vim: Fix of 10 CVEs
- Details
-
- CVE-2022-2182: in doonecmd(), after ";" sets curwin->wcursor.lnum to ea.line2, call checkcursor() instead of checkcursorlnum() so the column is validated too, and fall back to checkcursorcol() when ea.line2 is zero, preventing read past end-of-line on ":0;'{".
- CVE-2022-2206: in checkshellsize(), clamp cmdlinerow and msgrow to Rows - 1 after limitscreen_size() so a shrinking terminal cannot leave those values referencing freed screen rows.
- CVE-2022-2257: in str2special(), when the byte is single-byte set *sp = str + (*str == NUL ? 0 : 1) so the caller cannot walk past the terminating NUL when a menu item ends in a modifier-only key.
- CVE-2022-2849: in latinptr2len()/dbcsptr2len(), return 0 when *p == NUL so loops that advance by mb_ptr2len() cannot walk past the NUL terminator (matches the contract documented in src/globals.h).
- CVE-2022-3352: in spellloadlang(), snapshot curbuf before the SpellFileMissing autocommand and break out of the retry loop if the autocommand deleted/replaced curbuf, preventing a use-after-free on the cached "lang"/"curbuf" pointer. Uses sl.sllang (stack copy) for the applyautocmds pattern to survive buffer deletion.
- CVE-2023-2609: in getregister() (ops.c), treat ycurrent->yarray == NULL the same as ysize == 0 and set reg->y_array to NULL, so an invalid/NULL register contents cannot be walked as a valid string vector.
- CVE-2021-3778: in findmatchtext() (regexpnfa.c), advance by utfptr2len(regline + col + len2) under encutf8 instead of MBCHAR2LEN(c2), so an invalid UTF-8 byte cannot cause a read past the end of the line.
- CVE-2022-1616: in appendcommand() (exdocmd.c), change the buffer-space check to "d - IObuff + 5 < IOSIZE" and skip copying a multibyte character whose length would overrun IObuff, so an invalid command with composing chars cannot overflow the error- message buffer.
- CVE-2022-1897: in undotime() (undo.c), call textlocked() / textlockedmsg() and return early, so :undo / :earlier / g- cannot run while the text is locked (e.g. inside a :substitute callback) and free a buffer the caller is still walking.
- CVE-2022-2125: in getlispindent() (misc1.c), after the double-quoted-string skip loop break out of the outer scan loop when *that is NUL so lisp indenting cannot walk past end-of-line on an unterminated quote.
- References