Out-of-bounds Read in vim/vim
Description
An out-of-bounds read vulnerability in Vim could allow an attacker to crash the editor or leak sensitive memory via a crafted file.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An out-of-bounds read vulnerability in Vim could allow an attacker to crash the editor or leak sensitive memory via a crafted file.
Vulnerability
CVE-2021-4193 describes an out-of-bounds read vulnerability in Vim, the popular text editor. The bug resides in the in-memory processing of file data when Vim opens a specially crafted file. Affected versions include those prior to the patch released in early 2022; specific version numbers are not detailed in the available references [4]. The issue was reported via huntr.dev and is triggered when a file is opened, requiring no special configuration beyond normal Vim usage [4].
Exploitation
An attacker must convince a user to open a maliciously crafted file with Vim. No network position or authentication is required; only local file access is needed. The sequence involves the attacker providing a crafted file that, when parsed by Vim's internal routines, causes an out-of-bounds read [4]. User interaction is minimal—the victim simply opens the file, and the code path is reachable without additional privileges or race conditions [4].
Impact
Successful exploitation may lead to an unexpected application termination (denial of service) and could potentially leak sensitive memory contents due to the out-of-bounds read [4]. The official description lists this as an out-of-bounds read, indicating a confidentiality impact, though the full extent of information disclosure is not detailed. The impact is limited to the context of the Vim process and does not provide code execution or privilege escalation in typical usage [4].
Mitigation
Vim was patched in the commit that addressed this issue, and users should update to the latest version. As of the available references, no workaround is provided; the only mitigation is to apply the vendor fix. Apple included the fix in macOS Monterey 12.3, macOS Big Sur 11.6.6, and Security Update 2022-005 Catalina, all released by July 2022 [1][2][3]. Systems running unpatched Vim versions are vulnerable and should be updated.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
44- osv-coords42 versionspkg:rpm/almalinux/vim-commonpkg:rpm/almalinux/vim-enhancedpkg:rpm/almalinux/vim-filesystempkg:rpm/almalinux/vim-minimalpkg:rpm/almalinux/vim-X11pkg:rpm/opensuse/vim&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/vim&distro=openSUSE%20Leap%2015.4pkg:rpm/suse/vim&distro=SUSE%20Enterprise%20Storage%206pkg:rpm/suse/vim&distro=SUSE%20Enterprise%20Storage%207pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-ESPOSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-ESPOSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-ESPOSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Micro%205.0pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Micro%205.1pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Micro%205.2pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP3pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP4pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP3pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Desktop%20Applications%2015%20SP4pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Real%20Time%2015%20SP2pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCLpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-BCLpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-BCLpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-BCLpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%2015-LTSSpkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1pkg:rpm/suse/vim&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2pkg:rpm/suse/vim&distro=SUSE%20Manager%20Proxy%204.1pkg:rpm/suse/vim&distro=SUSE%20Manager%20Retail%20Branch%20Server%204.1pkg:rpm/suse/vim&distro=SUSE%20Manager%20Server%204.1pkg:rpm/suse/vim&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/vim&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209
< 2:8.0.1763-16.el8_5.13+ 41 more
- (no CPE)range: < 2:8.0.1763-16.el8_5.13
- (no CPE)range: < 2:8.0.1763-16.el8_5.13
- (no CPE)range: < 2:8.0.1763-16.el8_5.13
- (no CPE)range: < 2:8.0.1763-16.el8_5.13
- (no CPE)range: < 2:8.0.1763-16.el8_5.13
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.0.1568-5.17.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.0.1568-5.17.1
- (no CPE)range: < 9.0.0814-17.9.1
- (no CPE)range: < 9.0.0814-17.9.1
- (no CPE)range: < 9.0.0814-17.9.1
- (no CPE)range: < 9.0.0814-17.9.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 9.0.0814-17.9.1
- (no CPE)range: < 9.0.0814-17.9.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 8.2.5038-150000.5.21.1
- (no CPE)range: < 9.0.0814-17.9.1
- (no CPE)range: < 9.0.0814-17.9.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing bounds check when a visual position points beyond the end of the line causes an out-of-bounds read in getvcol()."
Attack vector
An attacker can craft a Vim script or input that sets a visual selection (`<C-V>`) on a line and then executes a search for `/\%V` (match within the visual area). If the visual position is invalid (e.g., beyond the end of the line), the old code reads past the NUL terminator, leading to an out-of-bounds read. This can be triggered by running the sequence `0o000\<Esc>0\<C-V>$s0` followed by `/\%V` as shown in the test case [ref_id=1].
Affected code
The bug is in the `getvcol()` function in `src/misc1.c`. When a visual position (`/\%V`) points beyond the end of the line, the old code only checked for an empty line (`*ptr == NUL`) and set `col = 0`, but did not handle the case where `pos->col` is larger than the line length, causing an out-of-bounds read when `ptr + pos->col` is dereferenced.
What the fix does
The patch replaces the single `*ptr == NUL` check with a loop that iterates up to `pos->col` and checks each byte for NUL. If a NUL is found before reaching `pos->col`, it clamps `pos->col` to the current index, preventing the pointer from advancing past the end of the line. This ensures that even when a visual position is invalid, the code stays within the allocated line buffer [ref_id=1].
Preconditions
- inputThe attacker must be able to supply or trigger a Vim command sequence that sets an invalid visual position and then executes a /\%V search.
- authThe attacker must have a way to execute Vim commands (e.g., via a crafted file opened in Vim or a plugin).
Generated on May 29, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
13- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3FH2J57GDA2WMBS6J56F6QQRA6BXQQFZ/mitrevendor-advisory
- security.gentoo.org/glsa/202208-32mitrevendor-advisory
- seclists.org/fulldisclosure/2022/Jul/14mitremailing-list
- seclists.org/fulldisclosure/2022/Mar/29mitremailing-list
- seclists.org/fulldisclosure/2022/May/35mitremailing-list
- www.openwall.com/lists/oss-security/2022/01/15/1mitremailing-list
- lists.debian.org/debian-lts-announce/2022/03/msg00018.htmlmitremailing-list
- lists.debian.org/debian-lts-announce/2022/11/msg00009.htmlmitremailing-list
- github.com/vim/vim/commit/94f3192b03ed27474db80b4d3a409e107140738bmitre
- huntr.dev/bounties/92c1940d-8154-473f-84ce-0de43b0c2eb0mitre
- support.apple.com/kb/HT213183mitre
- support.apple.com/kb/HT213256mitre
- support.apple.com/kb/HT213343mitre
News mentions
0No linked articles in our index yet.