Vim double-free vulnerability during Vim9 script import operations_CVE-2025-55158

6.9 / 10

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Description

Vim is an open source, command line text editor. In versions from 9.1.1231 to before 9.1.1406, when processing nested tuples during Vim9 script import operations, an error during evaluation can trigger a double-free in Vim’s internal typed value (typval_T) management. Specifically, the clear_tv() function may attempt to free memory that has already been deallocated, due to improper lifetime handling in the handle_import / ex_import code paths. The vulnerability can only be triggered if a user explicitly opens and executes a specially crafted Vim script. This issue has been patched in version 9.1.1406.

Basic Information

ID CVE-2025-55158

Source GitHub_M

Published Aug 11, 2025 at 22:54

Affected Product

Vendor vim

Product vim

Version >= 9.1.1231, < 9.1.1406

Affected Versions vim vim >= 9.1.1231, < 9.1.1406

CWE Classification

CWE-415

References

{
    "lastseen": "",
    "description": "Vim is an open source, command line text editor. In versions from 9.1.1231 to before 9.1.1406, when processing nested tuples during Vim9 script import operations, an error during evaluation can trigger a double-free in Vim\u2019s internal typed value (typval_T) management. Specifically, the clear_tv() function may attempt to free memory that has already been deallocated, due to improper lifetime handling in the handle_import / ex_import code paths. The vulnerability can only be triggered if a user explicitly opens and executes a specially crafted Vim script. This issue has been patched in version 9.1.1406.",
    "published": "2025-08-11T22:54:12.015Z",
    "modified": "2025-08-11T22:54:12.015Z",
    "type": "cve",
    "title": "Vim double-free vulnerability during Vim9 script import operations",
    "source": "GitHub_M",
    "references": "https://github.com/vim/vim/security/advisories/GHSA-5fg8-wvx3-583x\nhttps://github.com/vim/vim/commit/9772025d24e939fd84b85748ce35c26874c05775\nhttps://github.com/vim/vim/releases/tag/v9.1.1406",
    "id": "CVE-2025-55158",
    "bulletinFamily": "",
    "cwe": [
        "CWE-415"
    ],
    "cvelist": null,
    "sourceData": "vim vim >= 9.1.1231, < 9.1.1406",
    "sourceHref": "",
    "cvss": {
        "score": 6.9,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "vim",
    "version": ">= 9.1.1231, < 9.1.1406",
    "vendor": "vim",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}