VYPR
← All advisories
Unrated severityNVD Advisory· Published Nov 5, 2021· Updated Aug 3, 2024

Heap-based Buffer Overflow in vim/vim

CVE-2021-3927

Description

CVE-2021-3927 is a heap-based buffer overflow in vim that could be triggered by opening a crafted file, potentially leading to a crash or code execution.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

CVE-2021-3927 is a heap-based buffer overflow in vim that could be triggered by opening a crafted file, potentially leading to a crash or code execution.

Vulnerability

CVE-2021-3927 is a heap-based buffer overflow vulnerability in vim, a widely used text editor. The bug resides in the editor's file parsing code and can be triggered when a user opens a specially crafted file. The exact affected versions are not specified in the available references, but the issue was reported in late 2021 [1].

Exploitation

An attacker would need to convince a victim to open a maliciously crafted file in vim. No authentication or special privileges are required beyond normal user access to vim. The exploitation sequence involves the victim opening the file, which causes vim to process malformed data, leading to a heap-based buffer overflow [1].

Impact

Successful exploitation could result in a crash of vim (denial of service) or potentially arbitrary code execution in the context of the user running vim. The exact impact depends on the heap layout and memory protections [1].

Mitigation

No specific fixed version or patch is disclosed in the available references. Users should monitor vim's official releases and apply updates as soon as they become available. As a general precaution, avoid opening untrusted files in vim [1].

References
  1. security - Re: 3 new CVE's in vim

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

39

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing cursor column validation after setting the cursor line number in ex_put() allows a heap-based buffer over-read."

Attack vector

An attacker can trigger a heap-based buffer overflow by executing the `:put` command with a count that places the cursor above the first line, combined with a prior `0o0` normal-mode command that sets an invalid cursor column. The missing `check_cursor_col()` call after the line number assignment lets the cursor column remain out of bounds, causing `do_put()` to read past the allocated line memory [ref_id=1].

Affected code

The bug is in `ex_put()` in `ex_cmds.c` (patch line @@ -7774,6 +7774,7 @@). After setting `curwin->w_cursor.lnum` to `eap->line2`, the cursor column was not validated, allowing a column value that points past the end of the line.

What the fix does

The patch adds a single call to `check_cursor_col()` after `curwin->w_cursor.lnum = eap->line2` in `ex_put()`. This ensures the cursor column is clamped to a valid position within the new line before `do_put()` is invoked, preventing an out-of-bounds memory read. The accompanying test `Test_put_above_first_line()` reproduces the scenario that previously triggered the overflow [ref_id=1].

Preconditions

  • inputThe attacker must be able to execute Vim normal-mode and ex commands (e.g., via a crafted file or macro).
  • inputThe cursor column must be set to an invalid value (e.g., by `0o0` normal command) before the `:put` command is issued.

Generated on May 29, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

9

News mentions

0

No linked articles in our index yet.