Heap-based Buffer Overflow in vim/vim
Description
A heap-based buffer overflow in vim's get_address() function allows a crash or potential memory corruption when a crafted search command with an invalid range is used.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A heap-based buffer overflow in vim's get_address() function allows a crash or potential memory corruption when a crafted search command with an invalid range is used.
Vulnerability
CVE-2021-3875 is a heap-based buffer overflow vulnerability in the get_address() function of vim, specifically affecting versions prior to patch 8.2.3489 [2]. The flaw occurs when a search command (like / or ?) follows another address and the line number (lnum) is set to a value greater than the current buffer's line count (ml_line_count), which can result in an out-of-bounds write to heap memory [2]. The vulnerability is triggered by a specially crafted search range input, such as \%.v followed by 5/ and c as shown in the test case added in the fix [2].
Exploitation
To exploit this vulnerability, an attacker must convince a victim to open a malicious file or execute a crafted command sequence in vim. The attack requires no special privileges; any user with the ability to open a file in vim could trigger the bug. By crafting a file that contains a search pattern with an invalid line number range (e.g., lnum set beyond the buffer's line count), the attacker can cause the get_address() function to use an unsanitized line number, leading to heap corruption [2]. No user interaction beyond opening the file or executing the malicious command is required.
Impact
Successful exploitation of the heap-based buffer overflow can lead to a crash of vim or potentially to arbitrary code execution, depending on the heap layout and memory protections. The impact is primarily a denial of service (crash) or memory corruption. In environments where vim is used to edit privileged files (e.g., system configuration files with elevated privileges), exploitation could lead to privilege escalation, although this is not a typical scenario [1].
Mitigation
The vulnerability has been patched in vim version 8.2.3489, released on 2021-10-15 [2]. Users should upgrade to the latest stable release of vim (8.2.3489 or later). No workaround is available for unpatched versions. The vulnerability is not listed in the Known Exploited Vulnerabilities (KEV) catalog. Fedora and other distributions have announced patches via their package update channels [3][4].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
37- osv-coords35 versionspkg:rpm/opensuse/vim&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/vim&distro=openSUSE%20Leap%2015.4pkg:rpm/suse/vim&distro=SUSE%20Enterprise%20Storage%206pkg:rpm/suse/vim&distro=SUSE%20Enterprise%20Storage%207pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-ESPOSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-ESPOSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-ESPOSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Micro%205.1pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Micro%205.2pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP3pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP4pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP3pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP4pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCLpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-BCLpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-BCLpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-BCLpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2015-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2pkg:rpm/suse/vim&distro=SUSE%20Manager%20Proxy%204.1pkg:rpm/suse/vim&distro=SUSE%20Manager%20Retail%20Branch%20Server%204.1pkg:rpm/suse/vim&distro=SUSE%20Manager%20Server%204.1pkg:rpm/suse/vim&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/vim&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209
< 8.2.5038-150000.5.21.1+ 34 more
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 9.0.0814-17.9.1
- (no CPE)range: < 9.0.0814-17.9.1
- (no CPE)range: < 9.0.0814-17.9.1
- (no CPE)range: < 9.0.0814-17.9.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 9.0.0814-17.9.1
- (no CPE)range: < 9.0.0814-17.9.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 9.0.0814-17.9.1
- (no CPE)range: < 9.0.0814-17.9.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing bounds check on the line number in `get_address()` allows setting the cursor to a value exceeding the buffer's line count, causing a heap-based buffer overflow."
Attack vector
An attacker can craft a Vim script file (e.g., a `.vim` file) containing a search command with an invalid range, such as `5/` after a pattern like `/\.v`. When Vim sources this file, the `get_address()` function sets the cursor line number to a value that exceeds the number of lines in the buffer, leading to a heap-based buffer overflow [ref_id=1]. No authentication or special privileges are required beyond opening the malicious file.
Affected code
The heap-based buffer overflow occurs in `get_address()` in `src/eval.c`. The patch adds a bounds check on `lnum` before assigning it to `curwin->w_cursor.lnum`, ensuring it does not exceed `curbuf->b_ml.ml_line_count`.
What the fix does
The patch adds two guards in `get_address()`: first, it checks that `lnum > 0` before using it, and second, it clamps `lnum` to `curbuf->b_ml.ml_line_count` if it exceeds the buffer's line count. This prevents the cursor from being set to an out-of-bounds line number, which previously caused a heap-buffer-overflow when Vim later accessed the line data [ref_id=1].
Preconditions
- inputThe attacker must supply a Vim script file that triggers a search with an invalid range (e.g., a line number larger than the buffer's line count).
- inputThe user must open or source the malicious file in Vim.
Generated on May 29, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7K4JJBIH3OQSZRVTWKCJCDLGMFGQ5DOH/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/S42L4Z4DTW4LHLQ4FJ33VEOXRCBE7WN4/mitrevendor-advisoryx_refsource_FEDORA
- security.gentoo.org/glsa/202208-32mitrevendor-advisoryx_refsource_GENTOO
- www.openwall.com/lists/oss-security/2022/01/15/1mitremailing-listx_refsource_MLIST
- github.com/vim/vim/commit/35a319b77f897744eec1155b736e9372c9c5575fmitrex_refsource_MISC
- huntr.dev/bounties/5cdbc168-6ba1-4bc2-ba6c-28be12166a53mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.