VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 6, 2021· Updated Aug 3, 2024

Use After Free in vim/vim

CVE-2021-4069

Description

A use-after-free vulnerability in vim's visual_redr function can lead to a crash or memory corruption when handling certain editing operations.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A use-after-free vulnerability in vim's `visual_redr` function can lead to a crash or memory corruption when handling certain editing operations.

Vulnerability

A use-after-free vulnerability exists in vim, affecting versions prior to the patch incorporated in vim 9.0.0060. The flaw occurs in the visual_redr function, where a freed memory pointer is used during window redrawing operations triggered by visual mode events. The vulnerability is reachable when a user opens a specially crafted file or performs specific editing actions that trigger the vulnerable code path [1][4].

Exploitation

An attacker must convince a user to open a malicious file or execute a series of editing commands that invoke the vulnerable window redrawing code. No special privileges are required on the part of the attacker beyond the ability to craft the input; the attack relies on the victim's interaction. The use-after-free is triggered when vim attempts to free and then re-use a memory region related to visual selection display [1].

Impact

Successful exploitation of the use-after-free could result in a denial of service (crash) or potentially allow arbitrary code execution in the context of the vim process. The impact is limited to the vim session; however, if vim is running with elevated privileges (e.g., editing system configuration files), the consequences could be more severe [1].

Mitigation

Users should upgrade to vim version 9.0.0060 or later, which contains the fix for this vulnerability. The Gentoo security advisory GLSA 202208-32 provides instructions for updating vim via the package manager [4]. No workaround is known at the time of disclosure [4].

References
  1. security - Re: 3 new CVE's in vim
  2. Multiple Vulnerabilities (GLSA 202208-32) — Gentoo security

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

37

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Use-after-free in ex_open() because ml_get_curline() pointer is used after the line buffer may be freed during regex matching."

Attack vector

An attacker can trigger this use-after-free by crafting a file that, when opened with the `:open` command in Vim, causes the line buffer to be flushed during regex matching. The attacker must be able to supply a file whose content, combined with the `:open` command's argument, forces `ml_get_curline()` to return a pointer that becomes invalid while `vim_regexec()` is still using it. This is a local attack vector requiring the victim to open a malicious file.

Affected code

The vulnerability is in the `ex_open()` function in `src/ex_docmd.c`. The original code called `ml_get_curline()` and stored the pointer, then passed that pointer to `vim_regexec()` — but `ml_get_curline()` can return a pointer to a line buffer that may be freed and reallocated during regex matching, leading to a use-after-free when `regmatch.startp[0]` is dereferenced against the stale pointer.

What the fix does

The patch [ref_id=1] fixes the use-after-free by making a copy of the current line with `vim_strsave(ml_get_curline())` before performing regex matching. The copy (`line`) is used in `vim_regexec()` and for computing the cursor column, and is freed with `vim_free(line)` after use. This ensures that even if the original line buffer is flushed or reallocated during regex execution, the regex engine operates on a stable copy of the line data.

Preconditions

  • inputThe victim must open a file with the `:open` command in Vim.
  • inputThe file content must be crafted so that the line buffer is flushed during regex matching triggered by `:open`.

Generated on May 29, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

8

News mentions

0

No linked articles in our index yet.