CVE-2022-0392:
NixOS vulnerability analysis and mitigation

Overview

A heap-based buffer overflow vulnerability was discovered in Vim prior to version 8.2. The vulnerability (CVE-2022-0392) was identified on January 27, 2022, and affects the bracketed paste functionality when used in Ex mode (Vim Commit, NVD).

Technical details

The vulnerability occurs due to illegal memory access with bracketed paste in Ex mode. The issue stems from insufficient space reservation for the trailing NUL character when processing pasted content. This was fixed by modifying the code to properly account for the additional byte needed for the NUL terminator (Vim Commit).

Impact

The heap-based buffer overflow could potentially lead to arbitrary code execution, memory corruption, or application crashes when processing maliciously crafted input in Ex mode (Debian LTS).

Mitigation and workarounds

The vulnerability was patched in Vim version 8.2.4218. Users are advised to upgrade to this version or later. Multiple distributions have released security updates including Debian, Ubuntu, and Apple macOS that address this vulnerability (Debian LTS, Apple Security).

Additional resources

Source: This report was generated using AI

View vulnerable instances

Not a Wiz customer?

Request vulnerability assessment

7.8

Score

Published January 28, 2022

Severity HIGH

CNA Score 6.1

Affected Technologies

NixOS
Vim

Has Public Exploit No

Has CISA KEV Exploit No

CISA KEV Release Date N/A

CISA KEV Due Date N/A

Exploitation Probability Percentile (EPSS) 25.8

Exploitation Probability (EPSS) 0.1

Affected packages and libraries

vim
vim-small

Sources

AlmaLinux Security Advisory
- AlmaLinux 8 Severity MEDIUMHas FixAdded at: Jul 20, 2022
Alpine Security Tracker
- Alpine 3.10, 3.11 Severity HIGHNo FixAdded at: Dec 03, 2023
- Alpine 3.12, 3.13, 3.14 Severity HIGHHas FixAdded at: Apr 04, 2022
- Alpine 3.15 Severity HIGHHas FixAdded at: Apr 01, 2022
- Alpine 3.16 Severity HIGHHas FixAdded at: May 24, 2022
- Alpine 3.17 Severity HIGHHas FixAdded at: Nov 23, 2022
- Alpine 3.18 Severity HIGHHas FixAdded at: May 10, 2023
- Alpine 3.19 Severity HIGHHas FixAdded at: Dec 10, 2023
- Alpine 3.20 Severity HIGHHas FixAdded at: May 26, 2024
- Alpine 3.21 Severity HIGHHas FixAdded at: Dec 08, 2024
- Alpine 3.22 Severity HIGHHas FixAdded at: Jun 01, 2025
- Alpine edge Severity HIGHHas FixAdded at: Jun 19, 2023
CBL-Mariner
- CBL-Mariner 1.0, 2.0 Severity HIGHHas FixAdded at: Jun 10, 2023
Container-Optimized OS Release Notes
- Container-Optimized OS Severity HIGHHas FixAdded at: Mar 23, 2022
Debian Security Tracker
- Debian 10, 11, 12 Severity HIGHHas FixAdded at: Mar 28, 2022
- Debian 13 Severity HIGHHas FixAdded at: Jun 11, 2023
Gentoo Advisory Database
- Gentoo Severity LOWHas FixAdded at: Aug 21, 2022
Homebrew
- Homebrew Severity HIGHHas FixAdded at: Feb 12, 2024
Nix
- Nix Severity HIGHHas FixAdded at: Nov 01, 2023
Photon Security Advisory
- Photon 2.0, 3.0 Severity HIGHHas FixAdded at: May 21, 2022
- Photon 4.0 Severity HIGHHas FixAdded at: May 23, 2022
Red Hat Errata
- Red Hat 8 Severity MEDIUMHas FixAdded at: Feb 02, 2022
Ubuntu Security Tracker
- Ubuntu 18.04, 20.04 Severity MEDIUMHas FixAdded at: May 14, 2022
- Ubuntu 22.04 Severity MEDIUMHas FixAdded at: Nov 01, 2022
NVD
- Linux Severity HIGHHas FixAdded at: Jun 19, 2024
- Windows Severity HIGHHas FixAdded at: Jan 31, 2022