CVE-2022-1720: 
NixOS vulnerability analysis and mitigation

A buffer over-read vulnerability was discovered in the grabfilename function in GitHub repository vim/vim prior to version 8.2.4956. The vulnerability was identified in May 2022 and affects the Vim text editor. The issue occurs when reading after the NULL terminates the line with 'gf' in Visual block mode (CVE Database, Debian Security).

The vulnerability is a buffer over-read issue in the grabfilename function located in the findfile.c file. The flaw occurs specifically when using the 'gf' command in Visual block mode, where the function reads beyond the NULL terminator of a line. This was fixed in version 8.2.4956 by improving input validation and removing the vulnerable code that included the NUL in the length calculation (GitHub Commit).

The vulnerability can lead to software crashes, memory modification, and potentially remote code execution. When exploited, it could allow attackers to cause denial-of-service conditions or potentially execute arbitrary code (NVD).

Users should upgrade to Vim version 8.2.4956 or later which contains the fix for this vulnerability. Multiple distributions have released security updates including Debian, Fedora, and Apple macOS (Fedora Update, Debian LTS).