VYPR
← All advisories
Unrated severityNVD Advisory· Published Nov 19, 2021· Updated Aug 3, 2024

Use After Free in vim/vim

CVE-2021-3974

Description

Vim suffers from a use-after-free vulnerability in the regex engine when processing marks, potentially leading to memory corruption.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Vim suffers from a use-after-free vulnerability in the regex engine when processing marks, potentially leading to memory corruption.

Vulnerability

The vulnerability is a use-after-free in vim's regexp engine when handling marks (NFA_MARK_GT, NFA_MARK_LT). Specifically, in the nfa_regmatch function, after obtaining a mark position via getmark_buf, the code uses rex.input and rex.line pointers. Under certain conditions, the line referenced by rex.line can be freed, leaving a dangling pointer. The bug affects vim versions prior to patch 8.2.3612 [2]. The issue was introduced by earlier changes that allowed marks to be used in regex patterns.

Exploitation

An attacker can exploit this by crafting a file that, when opened in vim, triggers a regex operation using a mark (e.g., :%s/\'t/). The attacker needs to convince the victim to open the malicious file or execute the pattern. No special privileges are required. The exploit occurs during the pattern matching, causing a use-after-free condition.

Impact

Successful exploitation could lead to memory corruption, potentially allowing arbitrary code execution. However, the exact impact is limited because vim typically runs with user privileges. The vulnerability is categorized as a use-after-free, which commonly leads to denial of service or information disclosure, but code execution is theoretically possible.

Mitigation

The fix was committed in vim patch 8.2.3612 [2] on 2021-11-19 (the same day as the CVE publication). Users should upgrade to vim version 8.2.3612 or later. Fedora and other distributions have backported the patch. No workaround is available; upgrading is recommended.

References
  1. patch 8.2.3612: using freed memory with regexp using a mark · vim/vim@64066b9

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

36

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Use-after-free: `rex.input` pointer is not updated after `getmark_buf()` may free and reallocate the line buffer."

Attack vector

An attacker can trigger a use-after-free by crafting a regex pattern that uses a mark reference (`\%'` or `\%<` / `\%>`) in a substitution command. When `getmark_buf()` is called, the underlying line buffer may be freed and reallocated, but `rex.input` still points to the old freed memory. The test case in the patch shows the crash with `s/\%')` on a single-line buffer [ref_id=1]. No authentication or special privileges are required beyond the ability to open a file and run a substitution command in Vim.

Affected code

The vulnerability is in `nfa_regmatch()` in Vim's regexp engine. The `rex.input` pointer was stored as an offset into `rex.line`, but after `getmark_buf()` is called the line buffer could be freed and reallocated, leaving `rex.input` pointing into freed memory. The patch changes the `input` field's comment from "points into \"regline\"" to "points into \"line\"" and adds code to re-fetch `rex.line` and recompute `rex.input` after retrieving the mark position [ref_id=1].

What the fix does

The patch adds a `size_t col = rex.input - rex.line;` before the `getmark_buf()` call, then after the call, if `REG_MULTI` is set, it re-fetches `rex.line` via `reg_getline(rex.lnum)` and recomputes `rex.input = rex.line + col;`. This ensures that even if the line buffer was freed and reallocated by `getmark_buf()`, the `input` pointer is recalculated to point into the valid new buffer. The comment change from "points into \"regline\"" to "points into \"line\"" reflects that the pointer is now relative to `rex.line` rather than the old `regline` field [ref_id=1].

Preconditions

  • inputUser must open a file in Vim and execute a substitution command with a regex pattern containing a mark reference (e.g., `s/\%')`).
  • configThe regex engine must be in NFA mode (the default in many Vim builds).

Generated on May 29, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

8

News mentions

0

No linked articles in our index yet.