Potential Security Vulnerability: Double Free in zle_vi.c (Detected via Static Analysis)

X-seq: zsh-workers 54459

From: Pasidu Rashmitha <pasidurashmitha054@xxxxxxxxx>

To: zsh-workers@xxxxxxx

Subject: Potential Security Vulnerability: Double Free in zle_vi.c (Detected via Static Analysis)

Date: Sun, 3 May 2026 18:55:43 +0530

Arc-authentication-results: i=1; mx.google.com; arc=none

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=to:subject:message-id:date:from:mime-version:dkim-signature; bh=bbkUrFBgxeHmN5H4AZRie+ZNrIBThNBFXpMXAhO9RIM=; fh=SbTlPuNNxBzTkRlwWtqw/TXBY0HvGvtE97RpPp3sJPM=; b=XVx2pKhsFZRyVlusYBw5vomk6K0vik+rHpQeNpXOFtOVOumfVNzALLWyNsZD5Q5SPO XQoLcSO+cF6/TaoURJFoQUu9oGGVFZk8GXBNDA9zdOILj4mtvhH0EN9tFf/O/D34q9G/ EkaPiVTjCtsjNicYm9pFUfYRPjWIcggo2Pk5w8ja85GpwzoL4IjfpOXG/CAEqlYC68mX 7+BF2k+W2PksBeU8vd+Wt0jtjnpLwicJ7eTxG8ed4QOQxanq3bhWBdF/yJ1BDoOUahNk 4DZsgkwBZxS1faC7mTxLLmA2cx/qAi94dn2bml76pWWHiSVTGV1GGMTnQdSGpwDLUaW6 vOpQ==; darn=zsh.org

Arc-seal: i=1; a=rsa-sha256; t=1777814755; cv=none; d=google.com; s=arc-20240605; b=Bv4ucQ6hNFgeCbGwWA0vWs3jLQC+flpuywBSvnMZO26Qa47yHFxOItJ51JcyjN6VDh UOXK7nCfbjpLLxLYdOxv4djesvS6TQNmk+3rSOghTwIrOk/Z903PI62FQRncCAvV/Pqo 5zSD6qEMv/dYKX3qUom550AZUgjxm7rmDieA4u/pboRpWeFQ30ncIdkLZeEYHvOYG1oF GQkaR8BY8oxNTVWZkfLPBz3rB/gWYXaSXYkun3hwoWn40M3aM/rwV6tfzxJ8f8CT/bY+ Di2ii/1MHZLm8DfxEuvyLQJcNpbthWjDnpMz8FzlqPe9CtvcyuC+mYje96Q4SIyZXz3i uetA==

Archived-at: <https://zsh.org/workers/54459>

List-id: <zsh-workers.zsh.org>

Dear Zsh Maintainers,

I am Sandaru, and I’ve been analyzing the Zsh source code using the Clang Static Analyzer (scan-build). During the analysis, I identified a potential memory corruption issue (Double Free) in the ZLE module.

Bug Details:

Type: Double Free (Attempt to free released memory)
File: Src/Zle/zle_vi.c
Function: startvitext (Line 101/119 area)

Analyzer Output: The tool flagged a "Double Free" where memory is attempted to be released after it has already been freed in a previous step within the same execution path. This was identified among 151 other potential issues, but this one appears to have the highest security impact as it relates to memory management in the Vi-mode editor.

Supporting Evidence: I have attached the screenshots from the scan-build report showing the exact code path and the error message. Please let me know if you would like me to provide the full HTML report generated by the analyzer.

Best regards, Sandaru

Reverse Date

Date

Thread

Author