Heap-based Buffer Overflow in vim/vim
Description
Vim C-indenting function has a heap-based buffer overflow when processing malformed C code, potentially leading to a crash or code execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Vim C-indenting function has a heap-based buffer overflow when processing malformed C code, potentially leading to a crash or code execution.
Vulnerability
CVE-2021-3984 is a heap-based buffer overflow in Vim's C-indenting functionality, specifically in the find_start_brace function. The flaw exists in Vim versions prior to 8.2.3625 and occurs when the editor processes a malformed C file that triggers an illegal memory access during indentation. The find_start_brace function, which is marked with a comment indicating it is problematic ("XXX"), had a bug where it could copy a pos_T structure beyond allocated memory, leading to a heap-based buffer overflow [1][2].
Exploitation
Exploitation requires an attacker to craft a malicious C source file that, when opened and subjected to Vim's C-indentation (for example, by using the = operator on a visual selection or by automatic indentation), triggers the overflow in find_start_brace. A proof-of-concept test in the patch [2] shows that the sequence of operations new, norm R/*, norm o0{, norm o//, norm V{= is sufficient to reproduce the issue. No special privileges beyond normal file opening are required; the attacker only needs to convince a user to open the crafted file in Vim [1][2].
Impact
Successful exploitation can lead to a heap-based buffer overflow, which may result in a crash (denial of service) or potentially arbitrary code execution in the context of the Vim process. The vulnerability is classified as a heap-based buffer overflow, and given that Vim is widely used for editing configuration files and source code, an attacker could leverage this to compromise a system if Vim is run with elevated privileges [1][4].
Mitigation
The fix was implemented in Vim patch 8.2.3625, released on or before September 30, 2021 [2]. Users should upgrade to Vim version 8.2.3625 or later. Gentoo has released a GLSA (GLSA 202208-32) advising users to upgrade to Vim 9.0.0060 or later [4]. No workaround is known, as the vulnerability is triggered by the built-in C-indentation logic that cannot be easily disabled without losing functionality [4].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
44- osv-coords42 versionspkg:rpm/almalinux/vim-commonpkg:rpm/almalinux/vim-enhancedpkg:rpm/almalinux/vim-filesystempkg:rpm/almalinux/vim-minimalpkg:rpm/almalinux/vim-X11pkg:rpm/opensuse/vim&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/vim&distro=openSUSE%20Leap%2015.4pkg:rpm/suse/vim&distro=SUSE%20Enterprise%20Storage%206pkg:rpm/suse/vim&distro=SUSE%20Enterprise%20Storage%207pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-ESPOSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-ESPOSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-ESPOSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Micro%205.0pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Micro%205.1pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Micro%205.2pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP3pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP4pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP3pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP4pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Real%20Time%2015%20SP2pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCLpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-BCLpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-BCLpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-BCLpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2015-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2pkg:rpm/suse/vim&distro=SUSE%20Manager%20Proxy%204.1pkg:rpm/suse/vim&distro=SUSE%20Manager%20Retail%20Branch%20Server%204.1pkg:rpm/suse/vim&distro=SUSE%20Manager%20Server%204.1pkg:rpm/suse/vim&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/vim&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209
< 2:8.0.1763-16.el8_5.13+ 41 more
- (no CPE)range: < 2:8.0.1763-16.el8_5.13
- (no CPE)range: < 2:8.0.1763-16.el8_5.13
- (no CPE)range: < 2:8.0.1763-16.el8_5.13
- (no CPE)range: < 2:8.0.1763-16.el8_5.13
- (no CPE)range: < 2:8.0.1763-16.el8_5.13
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.0.1568-5.17.1
- (no CPE)range: < 8.0.1568-5.17.1
- (no CPE)range: < 8.0.1568-5.17.1
- (no CPE)range: < 8.0.1568-5.17.1
- (no CPE)range: < 8.0.1568-5.17.1
- (no CPE)range: < 8.0.1568-5.17.1
- (no CPE)range: < 8.0.1568-5.17.1
- (no CPE)range: < 8.0.1568-5.17.1
- (no CPE)range: < 8.0.1568-5.17.1
- (no CPE)range: < 8.0.1568-5.17.1
- (no CPE)range: < 8.0.1568-5.17.1
- (no CPE)range: < 8.0.1568-5.17.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.0.1568-5.17.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.0.1568-5.17.1
- (no CPE)range: < 9.0.0814-17.9.1
- (no CPE)range: < 9.0.0814-17.9.1
- (no CPE)range: < 9.0.0814-17.9.1
- (no CPE)range: < 9.0.0814-17.9.1
- (no CPE)range: < 8.0.1568-5.17.1
- (no CPE)range: < 8.0.1568-5.17.1
- (no CPE)range: < 8.0.1568-5.17.1
- (no CPE)range: < 8.0.1568-5.17.1
- (no CPE)range: < 8.0.1568-5.17.1
- (no CPE)range: < 9.0.0814-17.9.1
- (no CPE)range: < 9.0.0814-17.9.1
- (no CPE)range: < 8.0.1568-5.17.1
- (no CPE)range: < 8.0.1568-5.17.1
- (no CPE)range: < 8.0.1568-5.17.1
- (no CPE)range: < 8.0.1568-5.17.1
- (no CPE)range: < 8.0.1568-5.17.1
- (no CPE)range: < 8.0.1568-5.17.1
- (no CPE)range: < 9.0.0814-17.9.1
- (no CPE)range: < 9.0.0814-17.9.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Partial assignment of a position structure (only line number, not column) in find_start_brace() leaves the column index uncontrolled, enabling out-of-bounds memory access."
Attack vector
An attacker can trigger this by crafting a malicious C source file that, when opened and auto-indented in Vim, causes `find_start_brace()` to return a `pos_T` pointer whose column field is stale or out-of-range. The subsequent assignment `curwin->w_cursor = *pos` (after the fix) copies the full position, but the original code only set `lnum`, leaving `col` uncontrolled. This can lead to a heap-based buffer overflow [CWE-122] during subsequent cursor operations. The attack requires the victim to open the crafted file and execute the `=` indent command.
Affected code
The vulnerability is in the `find_start_brace()` function in `src/eval.c` (patch 8.2.3625). The function incorrectly assigned only the line number (`curwin->w_cursor.lnum = pos->lnum`) instead of copying the entire `pos_T` structure, which could leave the column index uninitialized or out-of-bounds, leading to a heap-based buffer overflow when C-indenting code.
What the fix does
The patch changes `curwin->w_cursor.lnum = pos->lnum;` to `curwin->w_cursor = *pos;` in `find_start_brace()`. This ensures the entire `pos_T` structure (including the column index) is copied, not just the line number. Previously, the column field of `w_cursor` could retain an arbitrary value from a previous operation, causing out-of-bounds memory access when Vim later used that column to index into a line buffer. The added test case (`Test_find_brace_backwards`) reproduces the crash scenario with a multi-line C comment followed by indentation.
Preconditions
- inputVictim must open a crafted C source file in Vim
- inputVictim must apply the `=` auto-indent command on the affected region
Generated on May 29, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNXY7T5OORA7UJIMGSJBGHFMU6UZWS6P/mitrevendor-advisory
- security.gentoo.org/glsa/202208-32mitrevendor-advisory
- www.openwall.com/lists/oss-security/2022/01/15/1mitremailing-list
- lists.debian.org/debian-lts-announce/2022/03/msg00018.htmlmitremailing-list
- lists.debian.org/debian-lts-announce/2022/11/msg00009.htmlmitremailing-list
- github.com/vim/vim/commit/2de9b7c7c8791da8853a9a7ca9c467867465b655mitre
- huntr.dev/bounties/b114b5a2-18e2-49f0-b350-15994d71426amitre
News mentions
0No linked articles in our index yet.