Use of Uninitialized Variable in vim/vim

Vulnerability

CVE-2021-3928 is a use-of-uninitialized-variable vulnerability in vim prior to patch 8.2.3582 [2]. The bug resides in the suggest_trie_walk() function inside src/spell.c. When generating spell suggestions, the code checks whether a character is a word character via spell_iswordp(p, curwin), but before that check it does not verify that *preword is not NUL. This means if preword is an empty string, the pointer p is moved backward via MB_PTR_BACK(fword, p) into uninitialized memory, and the subsequent spell_iswordp() call reads that uninitialized area [2]. The affected versions include all vim releases before the fix commit 15d9890eee53afc61eb0a03b878a19cb5672f732 was incorporated [2].

Exploitation

To trigger the vulnerability, an attacker must convince a victim to open a specially crafted text file in vim and then invoke the spell suggestion feature (e.g., by typing z= on a misspelled word) [1]. No authentication or elevated privileges are required on the victim's side, but the attack requires user interaction. The fix commit includes a test case Test_spell_single_word() that reproduces the crash by entering specific characters and performing spell operations [2].

Impact

Successful exploitation results in reading uninitialized memory, which can cause undefined behavior — typically a crash (denial of service) but potentially information disclosure if the uninitialized data contains sensitive values [1]. The impact is limited by the need for user interaction and the specific spell suggestion code path.

Mitigation

The vulnerability was fixed in vim patch 8.2.3582, released on the same day the commit was made (2021-11-05) [2]. Users should upgrade to vim version 8.2.3582 or later. Distributions, such as Fedora, have released updated packages; administrators should apply those updates [3][4]. No workaround exists other than avoiding use of the spell suggestion feature on untrusted input.