CVE-2025-1215
Published: 12 February 2025
Description
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Security Summary
CVE-2025-1215 is a memory corruption vulnerability (CWE-119) in Vim versions up to 9.1.1096, specifically affecting unknown code in the src/main.c file. The issue arises from manipulation of the --log command-line argument, which can trigger improper memory handling. With a CVSS v3.1 base score of 2.8 (AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L), it represents a low-severity local problem rated as problematic.
A local attacker with low privileges can exploit this vulnerability by convincing a user to invoke Vim with a specially crafted --log argument, requiring user interaction. Successful exploitation leads to limited availability impact through memory corruption, such as a crash or denial of service on the affected system, with no confidentiality or integrity effects.
Mitigation involves upgrading to Vim version 9.1.1097, which includes the fixing commit c5654b84480822817bb7b69ebc97c174c91185e9. Relevant advisories and resources are available at the Vim GitHub repository, including the patch commit, associated issue #16606, and the release tag for v9.1.1097, as well as entries on VulDB.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability allows local memory corruption via the --log argument, leading to a crash of the Vim application (DoS), which facilitates T1499.004 Application or System Exploitation.