VYPR
← All advisories
Unrated severityNVD Advisory· Published Sep 15, 2021· Updated Aug 3, 2024

Heap-based Buffer Overflow in vim/vim

CVE-2021-3778

Description

A heap-based buffer overflow in vim versions 8.1 and 8.2 allows arbitrary code execution via crafted files or commands.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A heap-based buffer overflow in vim versions 8.1 and 8.2 allows arbitrary code execution via crafted files or commands.

Vulnerability

A heap-based buffer overflow vulnerability exists in vim versions 8.1 and 8.2 when built with --with-features=huge. The flaw resides in the ex_retab() function, triggered by the :retab command with a large argument, leading to invalid memory access [1].

Exploitation

An attacker must convince a user to open a specially crafted file or execute a malicious :retab command. No special network position or authentication is required; user interaction is the primary prerequisite [1].

Impact

Successful exploitation can result in arbitrary code execution within the context of the vim process. If vim is configured to run with elevated privileges (e.g., for editing system configuration files), this could lead to privilege escalation [1].

Mitigation

The vulnerability is fixed in vim patch 8.2.3402 [1]. Users should update to a patched version. There are no known workarounds; however, avoiding running vim with elevated privileges reduces risk.

References
  1. security - 3 new CVE's in vim

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

44

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing bounds check when computing character byte length from an invalid UTF-8 character value causes out-of-bounds read."

Attack vector

An attacker can trigger a heap-based buffer overflow by crafting a file containing an invalid UTF-8 byte sequence that causes `find_match_text()` to read past the end of the line buffer [ref_id=1]. The vulnerability is reachable when Vim processes a file with malformed UTF-8 characters during pattern matching, leading to out-of-bounds memory access. No authentication or special privileges are required beyond opening the crafted file in Vim.

Affected code

The heap-buffer-overflow occurs in `find_match_text()` in Vim's regexp engine, specifically in the line `len2 += MB_CHAR2LEN(c2)` which reads beyond the end of the line when an invalid UTF-8 byte sequence is encountered. The patch modifies this line to use `utf_ptr2len()` for UTF-8 encoding to safely compute the byte length instead of relying on `MB_CHAR2LEN(c2)`.

What the fix does

The patch replaces `len2 += MB_CHAR2LEN(c2)` with a conditional that uses `utf_ptr2len(rex.line + col + len2)` when `enc_utf8` is true, otherwise falls back to `MB_CHAR2LEN(c2)` [ref_id=1]. This ensures that for UTF-8 encoding, the actual byte length of the character at the current position is computed by examining the bytes in the buffer rather than deriving the length from the already-read character value `c2`, which could be invalid. The added test case `Test_match_invalid_byte()` writes a file with invalid UTF-8 bytes and sources it to verify the fix.

Preconditions

  • inputThe attacker must provide a file containing an invalid UTF-8 byte sequence that Vim will process.
  • configVim must be compiled with UTF-8 support (enc_utf8 enabled).

Generated on May 29, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

9

News mentions

0

No linked articles in our index yet.