CVE-2022-3352: 
NixOS vulnerability analysis and mitigation

A Use After Free vulnerability (CVE-2022-3352) was discovered in GitHub repository vim/vim prior to version 9.0.0614. The vulnerability was disclosed in September 2022 and affects the Vim text editor, a popular improved version of the vi editor (MITRE, NVD).

The vulnerability is related to the SpellFileMissing autocmd functionality which could potentially delete the current buffer and use freed memory. The issue was fixed by disallowing the deletion of the current buffer to avoid using freed memory. The fix was implemented in vim version 9.0.0614 through commit ef976323e770315b5fca544efb6b2faa25674d15 (VIM Commit). The vulnerability has a CVSS v3.1 base score of 7.8 (High), with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (Ubuntu CVE).

The vulnerability could lead to use-after-free conditions, potentially resulting in program crashes, memory corruption, and possible code execution. The impact is considered high for confidentiality, integrity, and availability when successfully exploited (Ubuntu CVE).

The vulnerability has been fixed in vim version 9.0.0614 and later. Users are advised to upgrade to the patched version. Multiple distributions have released security updates, including Ubuntu (versions 22.04 LTS, 20.04 LTS), Debian (version 2:8.1.0875-5+deb10u4), and Fedora (version 9.0.720-1) (Debian LTS, Ubuntu CVE).