Heap-based Buffer Overflow in vim/vim
Description
A heap-based buffer overflow in vim could be exploited via a specially crafted file, potentially leading to arbitrary code execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A heap-based buffer overflow in vim could be exploited via a specially crafted file, potentially leading to arbitrary code execution.
Vulnerability
CVE-2021-4136 describes a heap-based buffer overflow vulnerability in vim, the popular text editor. The flaw resides in the way vim handles certain file data during parsing, allowing an attacker to trigger a heap overflow by providing a specifically crafted file. The exact affected version is not detailed in the provided references, but the vulnerability was reported and a fix was discussed in late 2021 [4].
Exploitation
Exploitation requires an attacker to convince a user to open a maliciously crafted file in vim. No special network position or authentication is needed beyond standard file access. The vulnerability can be triggered when vim parses the file, leading to memory corruption [4].
Impact
Successful exploitation could result in arbitrary code execution in the context of the vim process. This could allow an attacker to execute arbitrary commands, potentially leading to system compromise if vim is run with elevated privileges (e.g., when editing system configuration files). The impact may be limited if vim runs with user-level privileges [4].
Mitigation
Users should update vim to a version that includes a fix for CVE-2021-4136. The fix was committed and released in vim patches after the report, though the exact fixed version is not specified in the referenced materials. Apple included fixes for related issues in macOS Monterey 12.3 [1], Big Sur 11.6.6 [2], and Security Update 2022-005 Catalina [3], though those references address other CVEs. Users are advised to apply the latest vim updates or avoid opening untrusted files as a workaround.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
37- osv-coords35 versionspkg:rpm/opensuse/vim&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/vim&distro=openSUSE%20Leap%2015.4pkg:rpm/suse/vim&distro=SUSE%20Enterprise%20Storage%206pkg:rpm/suse/vim&distro=SUSE%20Enterprise%20Storage%207pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-ESPOSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-ESPOSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-ESPOSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Micro%205.1pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Micro%205.2pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP3pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP4pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP3pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP4pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCLpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-BCLpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-BCLpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-BCLpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2015-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2pkg:rpm/suse/vim&distro=SUSE%20Manager%20Proxy%204.1pkg:rpm/suse/vim&distro=SUSE%20Manager%20Retail%20Branch%20Server%204.1pkg:rpm/suse/vim&distro=SUSE%20Manager%20Server%204.1pkg:rpm/suse/vim&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/vim&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209
< 8.2.5038-150000.5.21.1+ 34 more
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 9.0.0814-17.9.1
- (no CPE)range: < 9.0.0814-17.9.1
- (no CPE)range: < 9.0.0814-17.9.1
- (no CPE)range: < 9.0.0814-17.9.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 9.0.0814-17.9.1
- (no CPE)range: < 9.0.0814-17.9.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 9.0.0814-17.9.1
- (no CPE)range: < 9.0.0814-17.9.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing closing-parenthesis check before pointer increment in eval_lambda() causes a heap-based buffer overflow."
Attack vector
An attacker can trigger the vulnerability by crafting a malicious input file or command that contains a malformed lambda expression, such as `eval 0->(`, and having a victim open it in Vim. The flawed pointer arithmetic in `eval_lambda()` causes an illegal memory access when the closing parenthesis is missing, resulting in a heap-based buffer overflow [ref_id=1]. No authentication or special privileges are required beyond opening the crafted file.
Affected code
The heap-based buffer overflow occurs in `eval_lambda()` in Vim's source code. The flaw is in the logic that advances past the closing parenthesis of a lambda expression — the original code unconditionally incremented the pointer `*arg` after the closing parenthesis check, even when the check failed, leading to an out-of-bounds read on malformed input like `0->(`.
What the fix does
The patch [ref_id=1] restructures the logic in `eval_lambda()` so that the pointer `*arg` is only incremented past the closing parenthesis when `**arg == ')'` is true. If the character is not a closing parenthesis, the error path is taken without advancing the pointer, preventing the out-of-bounds read. A new test case `call assert_fails('eval 0->(', "E110: Missing ')'")` was added to verify the fix.
Preconditions
- inputThe victim must open a crafted file or execute a crafted command in Vim that includes a malformed lambda expression like `0->(`.
- authNo authentication or special privileges required beyond normal Vim usage.
Generated on May 29, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
12- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2EY2VFBU3YGGWI5BW4XKT3F37MYGEQUD/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3FH2J57GDA2WMBS6J56F6QQRA6BXQQFZ/mitrevendor-advisoryx_refsource_FEDORA
- security.gentoo.org/glsa/202208-32mitrevendor-advisoryx_refsource_GENTOO
- seclists.org/fulldisclosure/2022/Jul/14mitremailing-listx_refsource_FULLDISC
- seclists.org/fulldisclosure/2022/Mar/29mitremailing-listx_refsource_FULLDISC
- seclists.org/fulldisclosure/2022/May/35mitremailing-listx_refsource_FULLDISC
- www.openwall.com/lists/oss-security/2022/01/15/1mitremailing-listx_refsource_MLIST
- github.com/vim/vim/commit/605ec91e5a7330d61be313637e495fa02a6dc264mitrex_refsource_MISC
- huntr.dev/bounties/5c6b93c1-2d27-4e98-a931-147877b8c938mitrex_refsource_CONFIRM
- support.apple.com/kb/HT213183mitrex_refsource_CONFIRM
- support.apple.com/kb/HT213256mitrex_refsource_CONFIRM
- support.apple.com/kb/HT213343mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.