CVE-2022-4292: 
NixOS vulnerability analysis and mitigation

CVE-2022-4292 is a Use-After-Free vulnerability discovered in Vim's didsetspelllang() function of the spell.c file, affecting versions prior to 9.0.0882. The vulnerability was disclosed on December 5, 2022, and impacts the Vim text editor and its variants (CVE, NVD).

The vulnerability occurs when Vim uses freed memory after a SpellFileMissing autocmd uses bwipe. The issue specifically manifests in the didsetspelllang() function when the window no longer exists after the SpellFileMissing autocommand execution. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (High), with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (Ubuntu, RedHat).

Successful exploitation of this vulnerability could lead to disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS). The vulnerability affects the confidentiality, integrity, and availability of the system with high impact ratings (NetApp).

The vulnerability has been fixed in Vim version 9.0.0882 and later. The fix involves adding a check to bail out if the window no longer exists after the SpellFileMissing autocommand execution. Users are advised to upgrade to the patched version. The fix was implemented through commit c3d27ada14acd02db357f2d16347acc22cb17e93 in the Vim repository (GitHub).