From a512d43716fcc18a8384bbe11534009b22b681bc Mon Sep 17 00:00:00 2001
From: Emanuel Krollmann <E.Krollmann@protonmail.com>
Date: Sun, 18 Jan 2026 17:19:30 +0100
Subject: [PATCH] fix(autocmd): heap UAF with :bwipe in Syntax autocmd

Problem:
Creating an autocommand which executes `:bwipe` on the Syntax event
causes a heap-use-after-free.

Solution: set BF_SYN_SET flag before applying autocommands
(cherry picked from commit f36dd7557a98e2071f607b0859ccc632b58ccc87)
---
 src/nvim/option.c                        | 2 +-
 test/functional/autocmd/autocmd_spec.lua | 9 +++++++++
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/src/nvim/option.c b/src/nvim/option.c
index 7db959544f..4bf2d59f8b 100644
--- a/src/nvim/option.c
+++ b/src/nvim/option.c
@@ -2726,11 +2726,11 @@ static void do_syntax_autocmd(buf_T *buf, bool value_changed)
   static int syn_recursive = 0;
 
   syn_recursive++;
+  buf->b_flags |= BF_SYN_SET;
   // Only pass true for "force" when the value changed or not used
   // recursively, to avoid endless recurrence.
   apply_autocmds(EVENT_SYNTAX, buf->b_p_syn, buf->b_fname,
                  value_changed || syn_recursive == 1, buf);
-  buf->b_flags |= BF_SYN_SET;
   syn_recursive--;
 }
 
diff --git a/test/functional/autocmd/autocmd_spec.lua b/test/functional/autocmd/autocmd_spec.lua
index b4317a3e50..d89840a34b 100644
--- a/test/functional/autocmd/autocmd_spec.lua
+++ b/test/functional/autocmd/autocmd_spec.lua
@@ -716,6 +716,15 @@ describe('autocmd', function()
     ]]
   end)
 
+  it('no use-after-free when wiping buffer in Syntax autocommand', function()
+    exec([[
+      new
+      autocmd Syntax * ++once bwipe!
+      setlocal syntax=vim
+    ]])
+    assert_alive()
+  end)
+
   it('no use-after-free from win_enter autocommands in win_move_after', function()
     exec [[
       split foo