[vim-security] A double-free was found in Vim >v9.1.1231 and < 9.1.1406

[Christian Brabandt <cb () 256bit org>]

Note: I have been asked to created a security advisory for the issue 
mentioned below. The actual issue has already been fixed on May 23rd.

A double-free was found in Vim >v9.1.1231 and < 9.1.1406
========================================================
Date: 10.08.2025
Severity: Medium
CVE: *not yet assigned*
CWE: Double Free (CWE-415)

Vim gained support for the "tuple" data type in patch v9.1.1232.

When processing nested tuples during Vim9 script import operations, an
error during evaluation can trigger a double-free in Vim’s internal
typed value (typval_T) management. Specifically, the clear_tv() function
may attempt to free memory that has already been deallocated, due to
improper lifetime handling in the handle_import / ex_import code paths.

The most likely outcome is a denial-of-service (application crash).
However, since this is a memory corruption flaw, it could, in theory, be
exploited for more severe consequences depending on the execution
environment. The vulnerability can only be triggered if a user
explicitly opens and executes a specially crafted Vim script and
therefore the severity of this impact is rated **medium**.

This issue was discovered via fuzz testing with AFL++ and confirmed
using AddressSanitizer.

The Vim project would like to thank Yang Luo and Yanju Chen from the
Security Team @ Riema Labs for reporting this issue and Yegappan
Lakshmanan for fixing this vulnerability.

The issue has been fixed as of Vim patch v9.1.1406

References:
https://github.com/vim/vim/commit/9772025d24e939fd84b85748ce35c26874c05775
https://github.com/vim/vim/security/advisories/GHSA-5fg8-wvx3-583x

Thanks,
Christian
-- 
Beharrlichkeit wird zuweilen mit Eigensinn verwechselt.
                -- August von Kotzebue