{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-55158", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-08-07T18:27:23.306Z", "datePublished": "2025-08-11T22:54:12.015Z", "dateUpdated": "2025-08-12T15:51:41.020Z"}, "containers": {"cna": {"title": "Vim double-free vulnerability during Vim9 script import operations", "problemTypes": [{"descriptions": [{"cweId": "CWE-415", "lang": "en", "description": "CWE-415: Double Free", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 6.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/vim/vim/security/advisories/GHSA-5fg8-wvx3-583x", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/vim/vim/security/advisories/GHSA-5fg8-wvx3-583x"}, {"name": "https://github.com/vim/vim/commit/9772025d24e939fd84b85748ce35c26874c05775", "tags": ["x_refsource_MISC"], "url": "https://github.com/vim/vim/commit/9772025d24e939fd84b85748ce35c26874c05775"}, {"name": "https://github.com/vim/vim/releases/tag/v9.1.1406", "tags": ["x_refsource_MISC"], "url": "https://github.com/vim/vim/releases/tag/v9.1.1406"}], "affected": [{"vendor": "vim", "product": "vim", "versions": [{"version": ">= 9.1.1231, < 9.1.1406", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-08-11T22:54:12.015Z"}, "descriptions": [{"lang": "en", "value": "Vim is an open source, command line text editor. In versions from 9.1.1231 to before 9.1.1406, when processing nested tuples during Vim9 script import operations, an error during evaluation can trigger a double-free in Vim\u2019s internal typed value (typval_T) management. Specifically, the clear_tv() function may attempt to free memory that has already been deallocated, due to improper lifetime handling in the handle_import / ex_import code paths. The vulnerability can only be triggered if a user explicitly opens and executes a specially crafted Vim script. This issue has been patched in version 9.1.1406."}], "source": {"advisory": "GHSA-5fg8-wvx3-583x", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-08-12T15:51:31.724220Z", "id": "CVE-2025-55158", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-12T15:51:41.020Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "Vim double-free vulnerability during Vim9 script import operations", "source": {"advisory": "GHSA-5fg8-wvx3-583x", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "vim", "product": "vim", "versions": [{"status": "affected", "version": ">= 9.1.1231, < 9.1.1406"}]}], "references": [{"url": "https://github.com/vim/vim/security/advisories/GHSA-5fg8-wvx3-583x", "name": "https://github.com/vim/vim/security/advisories/GHSA-5fg8-wvx3-583x", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/vim/vim/commit/9772025d24e939fd84b85748ce35c26874c05775", "name": "https://github.com/vim/vim/commit/9772025d24e939fd84b85748ce35c26874c05775", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/vim/vim/releases/tag/v9.1.1406", "name": "https://github.com/vim/vim/releases/tag/v9.1.1406", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Vim is an open source, command line text editor. In versions from 9.1.1231 to before 9.1.1406, when processing nested tuples during Vim9 script import operations, an error during evaluation can trigger a double-free in Vim\u2019s internal typed value (typval_T) management. Specifically, the clear_tv() function may attempt to free memory that has already been deallocated, due to improper lifetime handling in the handle_import / ex_import code paths. The vulnerability can only be triggered if a user explicitly opens and executes a specially crafted Vim script. This issue has been patched in version 9.1.1406."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-415", "description": "CWE-415: Double Free"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-08-11T22:54:12.015Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-55158", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-08-12T15:51:31.724220Z"}}}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2025-08-12T15:51:36.530Z"}}]}, "cveMetadata": {"cveId": "CVE-2025-55158", "state": "PUBLISHED", "dateUpdated": "2025-08-11T22:54:12.015Z", "dateReserved": "2025-08-07T18:27:23.306Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-08-11T22:54:12.015Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:vim:vim:*:*:*:*:*:*:*:*", "matchCriteriaId": "BF46B6DF-7B68-4BDD-9789-1D58B0F80B6F", "versionEndExcluding": "9.1.1406", "versionStartIncluding": "9.1.1231", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Vim is an open source, command line text editor. In versions from 9.1.1231 to before 9.1.1406, when processing nested tuples during Vim9 script import operations, an error during evaluation can trigger a double-free in Vim\u2019s internal typed value (typval_T) management. Specifically, the clear_tv() function may attempt to free memory that has already been deallocated, due to improper lifetime handling in the handle_import / ex_import code paths. The vulnerability can only be triggered if a user explicitly opens and executes a specially crafted Vim script. This issue has been patched in version 9.1.1406."}, {"lang": "es", "value": "Vim es un editor de texto de l\u00ednea de comandos de c\u00f3digo abierto. En versiones desde la 9.1.1231 hasta anteriores a la 9.1.1406, al procesar tuplas anidadas durante las operaciones de importaci\u00f3n de scripts de Vim9, un error durante la evaluaci\u00f3n puede provocar una doble liberaci\u00f3n en la gesti\u00f3n interna de valores tipificados (typval_T) de Vim. En concreto, la funci\u00f3n clear_tv() puede intentar liberar memoria ya desasignada debido a una gesti\u00f3n incorrecta del tiempo de vida en las rutas de c\u00f3digo handle_import / ex_import. La vulnerabilidad solo se activa si un usuario abre y ejecuta expl\u00edcitamente un script de Vim especialmente manipulado. Este problema se ha corregido en la versi\u00f3n 9.1.1406."}], "id": "CVE-2025-55158", "lastModified": "2025-08-12T18:49:05.347", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2025-08-11T23:15:28.037", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/vim/vim/commit/9772025d24e939fd84b85748ce35c26874c05775"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/vim/vim/releases/tag/v9.1.1406"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/vim/vim/security/advisories/GHSA-5fg8-wvx3-583x"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-415"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "vim: Vim double-free vulnerability during Vim9 script import operations", "id": "2387860", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2387860"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.1", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H", "status": "draft"}, "cwe": "CWE-415", "details": ["Vim is an open source, command line text editor. In versions from 9.1.1231 to before 9.1.1406, when processing nested tuples during Vim9 script import operations, an error during evaluation can trigger a double-free in Vim\u2019s internal typed value (typval_T) management. Specifically, the clear_tv() function may attempt to free memory that has already been deallocated, due to improper lifetime handling in the handle_import / ex_import code paths. The vulnerability can only be triggered if a user explicitly opens and executes a specially crafted Vim script. This issue has been patched in version 9.1.1406."], "mitigation": {"lang": "en:us", "value": "Do not run untrusted vim scripts as it's not recommended."}, "name": "CVE-2025-55158", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Not affected", "package_name": "vim", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "vim", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "vim", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "vim", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "vim", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "rhcos", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2025-08-11T22:54:12Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-55158\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-55158\nhttps://github.com/vim/vim/commit/9772025d24e939fd84b85748ce35c26874c05775\nhttps://github.com/vim/vim/releases/tag/v9.1.1406\nhttps://github.com/vim/vim/security/advisories/GHSA-5fg8-wvx3-583x"], "statement": "Red Hat Product Security has rated this issue as having a Low security impact because the user has to run an untrusted file IN SCRIPT MODE. Someone who is running untrusted files in script mode is equivalent to someone just taking a random python script and running it.\nFor additional information, refer to the Issue Severity Classification [1] and Red Hat Enterprise Linux Life Cycle & Updates Policy.\n[1]. https://access.redhat.com/security/updates/classification/\n[2]. https://access.redhat.com/support/policy/updates/errata/", "threat_severity": "Low"}