{"id":"AZL-32047","summary":"CVE-2023-48706 affecting package vim for versions less than 9.0.2121-1","details":"Vim is a UNIX editor that, prior to version 9.0.2121, has a heap-use-after-free vulnerability. When executing a `:s` command for the very first time and using a sub-replace-special atom inside the substitution part, it is possible that the recursive `:s` call causes free-ing of memory which may later then be accessed by the initial `:s` command. The user must intentionally execute the payload and the whole process is a bit tricky to do since it seems to work only reliably for the very first :s command. It may also cause a crash of Vim. Version 9.0.2121 contains a fix for this issue.","modified":"2026-04-21T04:26:37.723535Z","published":"2023-11-22T22:15:08Z","upstream":["CVE-2023-48706"],"references":[{"type":"WEB","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-48706"}],"affected":[{"package":{"name":"vim","ecosystem":"Azure Linux:2","purl":"pkg:rpm/azure-linux/vim"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"9.0.2121-1"}]}],"database_specific":{"source":"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-32047.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H"}]}