Main Vulnerability Database SB20250226511

SB20250226511 - SUSE update for vim

Published: February 26, 2025

Security Bulletin ID SB20250226511

Severity

High

Patch available

YES

Number of vulnerabilities 6

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 6 secuirty vulnerabilities.

1) Heap-based buffer overflow (CVE-ID: CVE-2024-43790)

The vulnerability allows a remote attacker to crash the application.

The vulnerability exists due to boundary error within the do_search() function when performing a search and displaying the search-count message is disabled. A remote attacker can trick the victim to open a specially crafted file and use a specially crafted payload to search information, trigger a heap-based buffer overflow and crash the editor.

2) Heap-based buffer overflow (CVE-ID: CVE-2024-43802)

The vulnerability allows a remote attacker to crash the application.

The vulnerability exists due to a boundary error within the ins_typebuf() function. A remote attacker can trick the victim to open a specially crafted file, trigger a heap-based buffer overflow and crash the application.

3) Heap-based buffer overflow (CVE-ID: CVE-2024-45306)

The vulnerability allows a remote attacker to crash the application.

The vulnerability exists due to a boundary error. A remote attacker can trick the victim to open a specially crafted file, trigger a heap-based buffer overflow and crash the application.

4) Buffer overflow (CVE-ID: CVE-2025-1215)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing data passed via "--log" argument. A remote attacker can trick the victim into opening a file with a specially crafted argument, trigger memory corruption and execute arbitrary code on the target system.

5) Heap-based buffer overflow (CVE-ID: CVE-2025-22134)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error. A remote attacker can trick the victim into opening a specially crafted file, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

6) Out-of-bounds write (CVE-ID: CVE-2025-24014)

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error when processing untrusted input. A remote attacker can create a specially crafted file, trick the victim into opening it using the affected software, trigger an out-of-bounds write and execute arbitrary code on the target system.

Remediation

Install update from vendor's website.

References

https://www.suse.com/support/update/announcement/2025/suse-su-20250723-1/

Vulnerable Software

Desktop Applications Module: 15-SP6
Basesystem Module: 15-SP6
SUSE Linux Enterprise Real Time 15: SP6
openSUSE Leap: 15.5 - 15.6
SUSE Linux Enterprise Server for SAP Applications 15: SP6
SUSE Linux Enterprise Server 15: SP6
SUSE Linux Enterprise Desktop 15: SP6
SUSE Linux Enterprise Micro: 5.5
vim-data: before 9.1.1101-150500.20.21.1
vim-data-common: before 9.1.1101-150500.20.21.1
vim-debugsource: before 9.1.1101-150500.20.21.1
vim-small: before 9.1.1101-150500.20.21.1
gvim: before 9.1.1101-150500.20.21.1
gvim-debuginfo: before 9.1.1101-150500.20.21.1
vim-debuginfo: before 9.1.1101-150500.20.21.1
vim-small-debuginfo: before 9.1.1101-150500.20.21.1
vim: before 9.1.1101-150500.20.21.1