Ubuntu update for vim
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 15 |
| CVE-ID | CVE-2022-2522 CVE-2022-2580 CVE-2022-2598 CVE-2022-2816 CVE-2022-2817 CVE-2022-2819 CVE-2022-2862 CVE-2022-2874 CVE-2022-2889 CVE-2022-2982 CVE-2022-3016 CVE-2022-3037 CVE-2022-3099 CVE-2022-3134 CVE-2022-3153 |
| CWE-ID | CWE-122 CWE-125 CWE-416 CWE-476 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
Ubuntu Operating systems & Components / Operating system vim-runtime (Ubuntu package) Operating systems & Components / Operating system package or component xxd (Ubuntu package) Operating systems & Components / Operating system package or component vim-tiny (Ubuntu package) Operating systems & Components / Operating system package or component vim-nox (Ubuntu package) Operating systems & Components / Operating system package or component vim-gtk3 (Ubuntu package) Operating systems & Components / Operating system package or component vim-gtk (Ubuntu package) Operating systems & Components / Operating system package or component vim-athena (Ubuntu package) Operating systems & Components / Operating system package or component vim (Ubuntu package) Operating systems & Components / Operating system package or component |
| Vendor | Canonical Ltd. |
Security Bulletin
This security bulletin contains information about 15 vulnerabilities.
1) Heap-based buffer overflow
EUVDB-ID: #VU66637
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-2522
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the ins_compl_infercase_gettext() function in insexpand.c. A remote attacker can trick the victim to open a specially crafted file, trigger a heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected package vim to the latest version.
Vulnerable software versionsUbuntu: 14.04 - 22.04
vim-runtime (Ubuntu package): before Ubuntu Pro
xxd (Ubuntu package): before Ubuntu Pro
vim-tiny (Ubuntu package): before Ubuntu Pro (Infra-only)
vim-nox (Ubuntu package): before Ubuntu Pro (Infra-only)
vim-gtk3 (Ubuntu package): before Ubuntu Pro (Infra-only)
vim-gtk (Ubuntu package): before Ubuntu Pro (Infra-only)
vim-athena (Ubuntu package): before Ubuntu Pro (Infra-only)
vim (Ubuntu package): before Ubuntu Pro (Infra-only)
External linkshttp://ubuntu.com/security/notices/USN-6302-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Heap-based buffer overflow
EUVDB-ID: #VU66636
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-2580
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within the eval_string() function in typval.c. A remote attacker can trick the victim to open a specially crafted file, trigger a heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected package vim to the latest version.
Vulnerable software versionsUbuntu: 14.04 - 22.04
vim-runtime (Ubuntu package): before Ubuntu Pro
xxd (Ubuntu package): before Ubuntu Pro
vim-tiny (Ubuntu package): before Ubuntu Pro (Infra-only)
vim-nox (Ubuntu package): before Ubuntu Pro (Infra-only)
vim-gtk3 (Ubuntu package): before Ubuntu Pro (Infra-only)
vim-gtk (Ubuntu package): before Ubuntu Pro (Infra-only)
vim-athena (Ubuntu package): before Ubuntu Pro (Infra-only)
vim (Ubuntu package): before Ubuntu Pro (Infra-only)
External linkshttp://ubuntu.com/security/notices/USN-6302-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Heap-based buffer overflow
EUVDB-ID: #VU66633
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-2598
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error within the diff_write_buffer() function in diff.c. A remote attacker can trick the victim to open a specially crafted file, trigger a heap-based buffer overflow and crash the application.
Update the affected package vim to the latest version.
Vulnerable software versionsUbuntu: 14.04 - 22.04
vim-runtime (Ubuntu package): before Ubuntu Pro
xxd (Ubuntu package): before Ubuntu Pro
vim-tiny (Ubuntu package): before Ubuntu Pro (Infra-only)
vim-nox (Ubuntu package): before Ubuntu Pro (Infra-only)
vim-gtk3 (Ubuntu package): before Ubuntu Pro (Infra-only)
vim-gtk (Ubuntu package): before Ubuntu Pro (Infra-only)
vim-athena (Ubuntu package): before Ubuntu Pro (Infra-only)
vim (Ubuntu package): before Ubuntu Pro (Infra-only)
External linkshttp://ubuntu.com/security/notices/USN-6302-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Out-of-bounds read
EUVDB-ID: #VU66626
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-2816
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition within the check_vim9_unlet() function in vim9cmds.c. A remote attacker can create a specially crafted file, trick the victim into opening it, trigger out-of-bounds read error and read contents of memory on the system.
MitigationUpdate the affected package vim to the latest version.
Vulnerable software versionsUbuntu: 14.04 - 22.04
vim-runtime (Ubuntu package): before Ubuntu Pro
xxd (Ubuntu package): before Ubuntu Pro
vim-tiny (Ubuntu package): before Ubuntu Pro (Infra-only)
vim-nox (Ubuntu package): before Ubuntu Pro (Infra-only)
vim-gtk3 (Ubuntu package): before Ubuntu Pro (Infra-only)
vim-gtk (Ubuntu package): before Ubuntu Pro (Infra-only)
vim-athena (Ubuntu package): before Ubuntu Pro (Infra-only)
vim (Ubuntu package): before Ubuntu Pro (Infra-only)
External linkshttp://ubuntu.com/security/notices/USN-6302-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Use-after-free
EUVDB-ID: #VU66627
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-2817
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error when processing files in testing.c. A remote attacker can trick the victim to open a specially crafted file, trigger a use-after-free error and execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationUpdate the affected package vim to the latest version.
Vulnerable software versionsUbuntu: 14.04 - 22.04
vim-runtime (Ubuntu package): before Ubuntu Pro
xxd (Ubuntu package): before Ubuntu Pro
vim-tiny (Ubuntu package): before Ubuntu Pro (Infra-only)
vim-nox (Ubuntu package): before Ubuntu Pro (Infra-only)
vim-gtk3 (Ubuntu package): before Ubuntu Pro (Infra-only)
vim-gtk (Ubuntu package): before Ubuntu Pro (Infra-only)
vim-athena (Ubuntu package): before Ubuntu Pro (Infra-only)
vim (Ubuntu package): before Ubuntu Pro (Infra-only)
External linkshttp://ubuntu.com/security/notices/USN-6302-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Heap-based buffer overflow
EUVDB-ID: #VU66628
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-2819
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in vim9cmds.c. A remote attacker can trick the victim to open a specially crafted file, trigger a heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected package vim to the latest version.
Vulnerable software versionsUbuntu: 14.04 - 22.04
vim-runtime (Ubuntu package): before Ubuntu Pro
xxd (Ubuntu package): before Ubuntu Pro
vim-tiny (Ubuntu package): before Ubuntu Pro (Infra-only)
vim-nox (Ubuntu package): before Ubuntu Pro (Infra-only)
vim-gtk3 (Ubuntu package): before Ubuntu Pro (Infra-only)
vim-gtk (Ubuntu package): before Ubuntu Pro (Infra-only)
vim-athena (Ubuntu package): before Ubuntu Pro (Infra-only)
vim (Ubuntu package): before Ubuntu Pro (Infra-only)
External linkshttp://ubuntu.com/security/notices/USN-6302-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Use-after-free
EUVDB-ID: #VU66630
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-2862
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error in vim9compile.c. A remote attacker can trick the victim to open a specially crafted file, trigger a use-after-free error and execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationUpdate the affected package vim to the latest version.
Vulnerable software versionsUbuntu: 14.04 - 22.04
vim-runtime (Ubuntu package): before Ubuntu Pro
xxd (Ubuntu package): before Ubuntu Pro
vim-tiny (Ubuntu package): before Ubuntu Pro (Infra-only)
vim-nox (Ubuntu package): before Ubuntu Pro (Infra-only)
vim-gtk3 (Ubuntu package): before Ubuntu Pro (Infra-only)
vim-gtk (Ubuntu package): before Ubuntu Pro (Infra-only)
vim-athena (Ubuntu package): before Ubuntu Pro (Infra-only)
vim (Ubuntu package): before Ubuntu Pro (Infra-only)
External linkshttp://ubuntu.com/security/notices/USN-6302-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) NULL pointer dereference
EUVDB-ID: #VU66629
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-2874
CWE-ID:
CWE-476 - NULL Pointer Dereference
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error in vim9compile.c. A remote attacker can trick the victim top open a specially crafted file and crash the application.
Update the affected package vim to the latest version.
Vulnerable software versionsUbuntu: 14.04 - 22.04
vim-runtime (Ubuntu package): before Ubuntu Pro
xxd (Ubuntu package): before Ubuntu Pro
vim-tiny (Ubuntu package): before Ubuntu Pro (Infra-only)
vim-nox (Ubuntu package): before Ubuntu Pro (Infra-only)
vim-gtk3 (Ubuntu package): before Ubuntu Pro (Infra-only)
vim-gtk (Ubuntu package): before Ubuntu Pro (Infra-only)
vim-athena (Ubuntu package): before Ubuntu Pro (Infra-only)
vim (Ubuntu package): before Ubuntu Pro (Infra-only)
External linkshttp://ubuntu.com/security/notices/USN-6302-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Use-after-free
EUVDB-ID: #VU66669
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-2889
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error within the find_var_also_in_script() function in evalvars.c. A remote attacker can trick the victim to open a specially crafted file, trigger a use-after-free error and execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationUpdate the affected package vim to the latest version.
Vulnerable software versionsUbuntu: 14.04 - 22.04
vim-runtime (Ubuntu package): before Ubuntu Pro
xxd (Ubuntu package): before Ubuntu Pro
vim-tiny (Ubuntu package): before Ubuntu Pro (Infra-only)
vim-nox (Ubuntu package): before Ubuntu Pro (Infra-only)
vim-gtk3 (Ubuntu package): before Ubuntu Pro (Infra-only)
vim-gtk (Ubuntu package): before Ubuntu Pro (Infra-only)
vim-athena (Ubuntu package): before Ubuntu Pro (Infra-only)
vim (Ubuntu package): before Ubuntu Pro (Infra-only)
External linkshttp://ubuntu.com/security/notices/USN-6302-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Use-after-free
EUVDB-ID: #VU66787
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-2982
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error within the qf_fill_buffer() function in quickfix.c. A remote attacker can trick the victim to open a specially crafted file, trigger a use-after-free error and execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationUpdate the affected package vim to the latest version.
Vulnerable software versionsUbuntu: 14.04 - 22.04
vim-runtime (Ubuntu package): before Ubuntu Pro
xxd (Ubuntu package): before Ubuntu Pro
vim-tiny (Ubuntu package): before Ubuntu Pro (Infra-only)
vim-nox (Ubuntu package): before Ubuntu Pro (Infra-only)
vim-gtk3 (Ubuntu package): before Ubuntu Pro (Infra-only)
vim-gtk (Ubuntu package): before Ubuntu Pro (Infra-only)
vim-athena (Ubuntu package): before Ubuntu Pro (Infra-only)
vim (Ubuntu package): before Ubuntu Pro (Infra-only)
External linkshttp://ubuntu.com/security/notices/USN-6302-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
11) Use-after-free
EUVDB-ID: #VU66860
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-3016
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error within the get_next_valid_entry() function in quickfix.c. A remote attacker can trick the victim to open a specially crafted file, trigger a use-after-free error and execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationUpdate the affected package vim to the latest version.
Vulnerable software versionsUbuntu: 14.04 - 22.04
vim-runtime (Ubuntu package): before Ubuntu Pro
xxd (Ubuntu package): before Ubuntu Pro
vim-tiny (Ubuntu package): before Ubuntu Pro (Infra-only)
vim-nox (Ubuntu package): before Ubuntu Pro (Infra-only)
vim-gtk3 (Ubuntu package): before Ubuntu Pro (Infra-only)
vim-gtk (Ubuntu package): before Ubuntu Pro (Infra-only)
vim-athena (Ubuntu package): before Ubuntu Pro (Infra-only)
vim (Ubuntu package): before Ubuntu Pro (Infra-only)
External linkshttp://ubuntu.com/security/notices/USN-6302-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
12) Use-after-free
EUVDB-ID: #VU67049
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-3037
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error within the qf_buf_add_line() function. A remote attacker can trick the victim to open a specially crafted file, trigger a use-after-free error and execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationUpdate the affected package vim to the latest version.
Vulnerable software versionsUbuntu: 14.04 - 22.04
vim-runtime (Ubuntu package): before Ubuntu Pro
xxd (Ubuntu package): before Ubuntu Pro
vim-tiny (Ubuntu package): before Ubuntu Pro (Infra-only)
vim-nox (Ubuntu package): before Ubuntu Pro (Infra-only)
vim-gtk3 (Ubuntu package): before Ubuntu Pro (Infra-only)
vim-gtk (Ubuntu package): before Ubuntu Pro (Infra-only)
vim-athena (Ubuntu package): before Ubuntu Pro (Infra-only)
vim (Ubuntu package): before Ubuntu Pro (Infra-only)
External linkshttp://ubuntu.com/security/notices/USN-6302-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
13) Use-after-free
EUVDB-ID: #VU67050
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-3099
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error within the do_cmdline() function in vim/src/ex_docmd.c. A remote attacker can trick the victim to open a specially crafted file, trigger a use-after-free error and execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationUpdate the affected package vim to the latest version.
Vulnerable software versionsUbuntu: 14.04 - 22.04
vim-runtime (Ubuntu package): before Ubuntu Pro
xxd (Ubuntu package): before Ubuntu Pro
vim-tiny (Ubuntu package): before Ubuntu Pro (Infra-only)
vim-nox (Ubuntu package): before Ubuntu Pro (Infra-only)
vim-gtk3 (Ubuntu package): before Ubuntu Pro (Infra-only)
vim-gtk (Ubuntu package): before Ubuntu Pro (Infra-only)
vim-athena (Ubuntu package): before Ubuntu Pro (Infra-only)
vim (Ubuntu package): before Ubuntu Pro (Infra-only)
External linkshttp://ubuntu.com/security/notices/USN-6302-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
14) Use-after-free
EUVDB-ID: #VU67159
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-3134
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error when processing files within the do_tag() function in vim/src/tag.c. A remote attacker can trick the victim to open a specially crafted file, trigger a use-after-free error and execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
MitigationUpdate the affected package vim to the latest version.
Vulnerable software versionsUbuntu: 14.04 - 22.04
vim-runtime (Ubuntu package): before Ubuntu Pro
xxd (Ubuntu package): before Ubuntu Pro
vim-tiny (Ubuntu package): before Ubuntu Pro (Infra-only)
vim-nox (Ubuntu package): before Ubuntu Pro (Infra-only)
vim-gtk3 (Ubuntu package): before Ubuntu Pro (Infra-only)
vim-gtk (Ubuntu package): before Ubuntu Pro (Infra-only)
vim-athena (Ubuntu package): before Ubuntu Pro (Infra-only)
vim (Ubuntu package): before Ubuntu Pro (Infra-only)
External linkshttp://ubuntu.com/security/notices/USN-6302-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
15) NULL pointer dereference
EUVDB-ID: #VU67160
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2022-3153
CWE-ID:
CWE-476 - NULL Pointer Dereference
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error within the vim_regcomp() function in regexp.c. A remote attacker can perform a denial of service (DoS) attack.
MitigationUpdate the affected package vim to the latest version.
Vulnerable software versionsUbuntu: 14.04 - 22.04
vim-runtime (Ubuntu package): before Ubuntu Pro
xxd (Ubuntu package): before Ubuntu Pro
vim-tiny (Ubuntu package): before Ubuntu Pro (Infra-only)
vim-nox (Ubuntu package): before Ubuntu Pro (Infra-only)
vim-gtk3 (Ubuntu package): before Ubuntu Pro (Infra-only)
vim-gtk (Ubuntu package): before Ubuntu Pro (Infra-only)
vim-athena (Ubuntu package): before Ubuntu Pro (Infra-only)
vim (Ubuntu package): before Ubuntu Pro (Infra-only)
External linkshttp://ubuntu.com/security/notices/USN-6302-1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
