CVE-2024-45306

CVE-2024-45306 is a medium-severity vulnerability in Vim with a CVSS 3.x base score of 4.5. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-787.

Key facts

Description

Vim is an open source, command line text editor. Patch v9.1.0038 optimized how the cursor position is calculated and removed a loop, that verified that the cursor position always points inside a line and does not become invalid by pointing beyond the end of a line. Back then we assumed this loop is unnecessary. However, this change made it possible that the cursor position stays invalid and points beyond the end of a line, which would eventually cause a heap-buffer-overflow when trying to access the line pointer at the specified cursor position. It's not quite clear yet, what can lead to this situation that the cursor points to an invalid position. That's why patch v9.1.0707 does not include a test case. The only observed impact has been a program crash. This issue has been addressed in with the patch v9.1.0707. All users are advised to upgrade.

Frequently asked questions

What is CVE-2024-45306?
Vim is an open source, command line text editor. Patch v9.1.0038 optimized how the cursor position is calculated and removed a loop, that verified that the cursor position always points inside a line and does not become invalid by pointing beyond the end of a line. Back then we assumed this loop is unnecessary. However, this change made it possible that the cursor position stays invalid and points beyond the end of a line, which would eventually cause a heap-buffer-overflow when trying to access the line pointer at the specified cursor position. It's not quite clear yet, what can lead to this situation that the cursor points to an invalid position. That's why patch v9.1.0707 does not include a test case. The only observed impact has been a program crash. This issue has been addressed in with the patch v9.1.0707. All users are advised to upgrade.
How severe is CVE-2024-45306?
CVE-2024-45306 has a CVSS 3.x base score of 4.5, rated medium severity. It is exploitable over local access with high attack complexity, requires no privileges and user interaction. Impact on confidentiality is low, integrity low, and availability low.
Is CVE-2024-45306 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (22nd percentile), an estimate of the probability of exploitation in the next 30 days.
What products are affected by CVE-2024-45306?
CVE-2024-45306 affects Vim. See the affected-products list for the exact vulnerable versions.
How do I fix CVE-2024-45306?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
Does CVE-2024-45306 have an EU (EUVD) identifier?
Yes. CVE-2024-45306 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2024-41429.
When was CVE-2024-45306 published?
CVE-2024-45306 was published on 2024-09-02 and last updated on 2026-06-17.

References

Affected products (1)

More vulnerabilities in Vim

All CVEs affecting Vim →

Other CWE-787 (Out-of-bounds Write) vulnerabilities

Browse all CWE-787 (Out-of-bounds Write) vulnerabilities →