What is CVE-2023-48235?

CVE-2023-48235 is a vulnerability in Vim that occurs when parsing relative ex addresses, leading to an overflow.

What is the impact of CVE-2023-48235?

The impact of CVE-2023-48235 is low, with limited user interaction required.

What software versions are affected by CVE-2023-48235?

Vim versions up to and excluding 9.0.2110 and Fedora 39 are affected by CVE-2023-48235.

How can I fix CVE-2023-48235?

To fix CVE-2023-48235, update Vim to version 9.0.2110 or higher.

Where can I find more information about CVE-2023-48235?

More information about CVE-2023-48235 can be found in the references provided: https://github.com/vim/vim/security/advisories/GHSA-6g74-hr6q-pr8g, https://github.com/vim/vim/commit/060623e4a3bc72b011e7cd92bedb3bfb64e06200, http://www.openwall.com/lists/oss-security/2023/11/16/1

Vulnerability/
CVE-2023-48235

medium

4.3

CWE

190

16/11/2023

25/1/2024

CVE-2023-48235: overflow in ex address parsing in vim

First published: Thu Nov 16 2023(Updated: )

Vim is an open source command line text editor. When parsing relative ex addresses one may unintentionally cause an overflow. Ironically this happens in the existing overflow check, because the line number becomes negative and LONG_MAX - lnum will cause the overflow. Impact is low, user interaction is required and a crash may not even happen in all situations. This issue has been addressed in commit `060623e` which has been included in release version 9.0.2110. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Credit: security-advisories@github.com security-advisories@github.com

Affected Software	Affected Version	How to fix
Vim Vim	<9.0.2110
Fedoraproject Fedora	=37
Fedoraproject Fedora	=38
Fedoraproject Fedora	=39
ubuntu/vim	<2:8.0.1453-1ubuntu1.13+	2:8.0.1453-1ubuntu1.13+
ubuntu/vim	<2:8.1.2269-1ubuntu5.21	2:8.1.2269-1ubuntu5.21
ubuntu/vim	<2:8.2.3995-1ubuntu2.15	2:8.2.3995-1ubuntu2.15
ubuntu/vim	<2:9.0.1000-4ubuntu3.3	2:9.0.1000-4ubuntu3.3
ubuntu/vim	<2:9.0.1672-1ubuntu2.2	2:9.0.1672-1ubuntu2.2
ubuntu/vim	<2:7.4.052-1ubuntu3.1+	2:7.4.052-1ubuntu3.1+
ubuntu/vim	<2:7.4.1689-3ubuntu1.5+	2:7.4.1689-3ubuntu1.5+
debian/vim	<=2:8.1.0875-5+deb10u2<=2:8.1.0875-5+deb10u6<=2:8.2.2434-3+deb11u1<=2:9.0.1378-2	2:9.1.0016-1 2:9.1.0377-1

Remedy

https://github.com/vim/vim/commit/060623e4a3bc72b011e7cd92bedb3bfb64e06200

Never miss a vulnerability like this again

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

USN-6557-1

Frequently Asked Questions

What is CVE-2023-48235?
CVE-2023-48235 is a vulnerability in Vim that occurs when parsing relative ex addresses, leading to an overflow.
What is the impact of CVE-2023-48235?
The impact of CVE-2023-48235 is low, with limited user interaction required.
What software versions are affected by CVE-2023-48235?
Vim versions up to and excluding 9.0.2110 and Fedora 39 are affected by CVE-2023-48235.
How can I fix CVE-2023-48235?
To fix CVE-2023-48235, update Vim to version 9.0.2110 or higher.
Where can I find more information about CVE-2023-48235?
More information about CVE-2023-48235 can be found in the references provided: https://github.com/vim/vim/security/advisories/GHSA-6g74-hr6q-pr8g, https://github.com/vim/vim/commit/060623e4a3bc72b011e7cd92bedb3bfb64e06200, http://www.openwall.com/lists/oss-security/2023/11/16/1

collector/mitre-cve
agent/type
collector/launchpad-cve
source/Launchpad
agent/author
agent/references
agent/first-publish-date
agent/weakness
agent/title
agent/remedy
agent/severity
agent/event
agent/description
collector/nvd-api
source/NVD
agent/software-canonical-lookup
agent/last-modified-date
agent/tags
collector/nvd-cve
collector/security-tracker-debian
source/Debian
agent/softwarecombine
collector/usn-cve
source/Ubuntu
vendor/vim
canonical/vim vim
vendor/fedoraproject
canonical/fedoraproject fedora
version/fedoraproject fedora/37
version/fedoraproject fedora/38
version/fedoraproject fedora/39
package-manager/debian
package-manager/ubuntu