CVE-2022-3296: 
NixOS vulnerability analysis and mitigation

A Stack-based Buffer Overflow vulnerability was discovered in the Vim text editor (CVE-2022-3296) affecting versions prior to 9.0.0577. The vulnerability was identified in September 2022 and specifically affects the exfinally() function in exeval.c file of the GitHub repository vim/vim (NVD, Debian Tracker).

The vulnerability is classified as a Stack-based Buffer Overflow with a CVSS v3.1 base score of 7.8 (HIGH). The vulnerability vector is CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating local access, low attack complexity, no privileges required, and user interaction required. The vulnerability has been categorized under CWE-787 (Out-of-bounds Write) and CWE-121 (Stack-based Buffer Overflow) (NVD).

If successfully exploited, this vulnerability could lead to high impacts on confidentiality, integrity, and availability of the affected system. The stack buffer overflow condition could potentially allow an attacker to execute arbitrary code or cause the application to crash when processing specially crafted input (NVD).

The vulnerability has been fixed in Vim version 9.0.0577 and later. Users are advised to upgrade to the patched version. The fix was implemented through a commit that addresses the buffer underflow issue with unexpected :finally statements (Github Patch).

Multiple Linux distributions have responded to this vulnerability by releasing security updates, including Fedora and Gentoo. Fedora included this fix in their security updates for versions 35, 36, and 37 (Fedora Update, Gentoo Security).