Heap-based Buffer Overflow in vim/vim

Vulnerability

CVE-2021-3968 is a heap-based buffer overflow vulnerability in vim, specifically in the visual mode handling code. The flaw occurs because the trigger_modechanged() function is called before VIsual is set in n_start_visual_mode(), causing a crash when a ModeChanged autocommand is triggered during visual mode initialization. This bug affects vim versions up to patch 8.2.3610, where the order of operations is corrected by moving the trigger_modechanged() call after VIsual is properly assigned [2].

Exploitation

An attacker can exploit this vulnerability by crafting a file or input that, when opened in vim, triggers the ModeChanged event during visual mode startup. This requires the victim to open the malicious file in vim, and a ModeChanged autocommand must be defined (e.g., au! ModeChanged * norm 0u). The attacker does not need prior authentication or special network access; luring the user into opening the file with a vulnerable vim version is sufficient. The exploit sequence involves the file causing visual mode to start, leading to the premature trigger_modechanged() call before VIsual is set, resulting in a heap overflow [2].

Impact

Successful exploitation leads to a heap-based buffer overflow, which can crash vim, resulting in a denial-of-service condition. As noted in the reference, under normal circumstances this does not cross a security boundary, but if vim is configured to run with elevated privileges (e.g., editing system configuration files), the crash could have broader stability implications [1]. No code execution or data corruption beyond the crash is indicated.

Mitigation

The fix was committed as patch 8.2.3610, which moves the trigger_modechanged() call to after VIsual is set, preventing the crash [2]. Users should update to vim version 8.2.3610 or later. If patching is not immediately possible, users can avoid defining ModeChanged autocommands that interact with visual mode, or refrain from opening untrusted files in vim.