CVE-2025-24014

low-risk

Published 2025-01-20

Vim is an open source, command line text editor. A segmentation fault was found in Vim before 9.1.1043. In silent Ex mode (-s -e), Vim typically doesn't show a screen and just operates silently in batch mode. However, it is still possible to trigger the function that handles the scrolling of a gui version of Vim by feeding some binary characters to Vim. The function that handles the scrolling however may be triggering a redraw, which will access the ScreenLines pointer, even so this variable hasn't been allocated (since there is no screen). This vulnerability is fixed in 9.1.1043.

Do I need to act?

0.10% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 4.2/10 Medium

LOCAL / HIGH complexity

Affected Products (2)

Vim

Hci Compute Node Firmware

Affected Vendors

Netapp Vim

References (5)

Patch https://github.com/vim/vim/commit/9d1bed5eccdbb46a26b8a484f5e9163c40e63919

Vendor Advisory https://github.com/vim/vim/security/advisories/GHSA-j3g9-wg22-v955

Mailing List http://www.openwall.com/lists/oss-security/2025/01/20/4

Mailing List http://www.openwall.com/lists/oss-security/2025/01/21/1

Third Party Advisory https://security.netapp.com/advisory/ntap-20250314-0005/

/ 100

low-risk

Severity 11/34 · Low

Exploitability 0/34 · Minimal

Exposure 7/34 · Low