VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 31, 2021· Updated Aug 3, 2024

Use After Free in vim/vim

CVE-2021-4192

Description

A use-after-free vulnerability in vim could lead to memory corruption; exploitation may require vim to be running with elevated privileges.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A use-after-free vulnerability in vim could lead to memory corruption; exploitation may require vim to be running with elevated privileges.

Vulnerability

vim is vulnerable to a use-after-free issue. The exact location and conditions are not disclosed in the available references. Affected versions are not specified, but the CVE was assigned in 2021 [4].

Exploitation

According to the oss-security post [4], exploitation may require vim to be configured to run with raised privileges (e.g., for editing system configuration files). No further details are available.

Impact

Successful exploitation could lead to memory corruption, potentially resulting in arbitrary code execution or unexpected application termination. The privilege level achieved would depend on the context in which vim is running [4].

Mitigation

No fix has been disclosed in the available references. Users should apply any updates from vim's official repository or distribution when available. As of the publication date, no patch version is specified [4].

References
  1. security - Re: 3 new CVE's in vim

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

41

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Use-after-free in reg_match_visual() where getvvcol() can flush and free rex.line, but the stale pointer is later dereferenced in win_linetabsize()."

Attack vector

An attacker can craft a file or input containing a pattern with `\%V` (match inside the visual area) that triggers the use-after-free. When `reg_match_visual()` is executed, the call to `getvvcol()` can cause `rex.line` to be freed and reallocated, but the old pointer is still used in the `win_linetabsize()` call. This can lead to a crash or potentially arbitrary code execution. No authentication is required; the attacker only needs to convince a victim to open the crafted file or paste the pattern into Vim.

Affected code

The vulnerability is in the `reg_match_visual()` function in Vim's regex engine. The patch moves the `col` computation before the `mode == 'v'` block and, crucially, re-fetches `rex.line` via `reg_getline()` after `win_linetabsize()` is called, because `getvvcol()` (called earlier) can flush the cached line pointer, leaving a dangling reference.

What the fix does

The patch moves the `col` computation earlier and, after `win_linetabsize()` is called, explicitly re-fetches `rex.line` via `reg_getline(rex.lnum)` and resets `rex.input` to `rex.line + col`. This ensures that any stale pointer freed by `getvvcol()` is replaced with a valid one before the subsequent bounds check, closing the use-after-free window.

Preconditions

  • inputVictim must open a crafted file or paste a malicious pattern containing \%V into Vim.
  • inputThe pattern must trigger the reg_match_visual() code path.

Generated on May 29, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

13

News mentions

0

No linked articles in our index yet.