Login Sign Up

CVE-2021-3770

7.8 HIGH
Buffer Overflow

📋 TL;DR

CVE-2021-3770 is a heap-based buffer overflow vulnerability in Vim text editor that allows attackers to execute arbitrary code by tricking users into opening specially crafted files. This affects all users who open untrusted files with vulnerable Vim versions. The vulnerability occurs during file processing when Vim incorrectly handles certain data structures.

💻 Affected Systems

Products:
  • Vim
Versions: Vim versions before 8.2.3489
Operating Systems: Linux, Unix-like systems, Windows, macOS
Default Config Vulnerable: ⚠️ Yes
Notes: All default configurations of affected Vim versions are vulnerable. The vulnerability is triggered when processing certain file types.

📦 What is this software?

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Ontap Select Deploy Administration Utility by Netapp

View all CVEs affecting Ontap Select Deploy Administration Utility →

Vim by Vim

View all CVEs affecting Vim →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with the privileges of the Vim user, potentially leading to full system compromise if Vim is run with elevated privileges.

🟠

Likely Case

Local privilege escalation or arbitrary code execution when users open malicious files, potentially leading to data theft or further system compromise.

🟢

If Mitigated

Limited impact if Vim runs with minimal privileges and users only open trusted files, though the vulnerability still exists.

🌐 Internet-Facing: LOW - Vim is typically not directly internet-facing, though could be exploited through file uploads to web applications.
🏢 Internal Only: MEDIUM - High risk for developers and system administrators who frequently use Vim to edit various files, including potentially untrusted ones.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires user interaction (opening a malicious file). Proof-of-concept code is available in public repositories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Vim 8.2.3489 and later

Vendor Advisory: https://github.com/vim/vim/commit/b7081e135a16091c93f6f5f7525a5c58fb7ca9f9

Restart Required: No

Instructions:

1. Update Vim using your system's package manager. 2. For Linux: 'sudo apt update && sudo apt upgrade vim' (Debian/Ubuntu) or 'sudo yum update vim' (RHEL/CentOS). 3. For macOS: 'brew upgrade vim'. 4. For Windows: Download latest version from vim.org. 5. Verify update with 'vim --version'.

🔧 Temporary Workarounds

Restrict file access

all

Limit Vim usage to trusted files only and avoid opening files from untrusted sources.

Use alternative editor

all

Temporarily use a different text editor (nano, emacs, etc.) until Vim is patched.

🧯 If You Can't Patch

  • Run Vim with minimal privileges (non-root user)
  • Implement application whitelisting to restrict Vim execution to specific trusted directories

🔍 How to Verify

Check if Vulnerable:

Run 'vim --version' and check if version is below 8.2.3489

Check Version:

vim --version | head -1

Verify Fix Applied:

Run 'vim --version' and confirm version is 8.2.3489 or higher

📡 Detection & Monitoring

Log Indicators:

  • Vim crashes with segmentation faults
  • Unusual process spawning from Vim sessions
  • Abnormal memory usage patterns in Vim processes

Network Indicators:

  • File downloads followed by immediate Vim execution
  • Suspicious file transfers to systems running Vim

SIEM Query:

process_name:vim AND (event_type:crash OR memory_usage:>threshold)

📊 Metadata

CVE ID: CVE-2021-3770
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-122
Published: September 6, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-3770, you might also want to check these:

CVE-2021-21940 10.0

A heap-based buffer overflow vulnerability in Anker Eufy Homebase 2's RTSP handling allows remote co...

Same vulnerability type (CWE-122)
CVE-2023-45318 10.0

This critical vulnerability allows remote attackers to execute arbitrary code on systems running Wes...

Same vulnerability type (CWE-122)
CVE-2025-23123 10.0

A heap buffer overflow vulnerability in UniFi Protect Camera firmware allows remote code execution. ...

Same vulnerability type (CWE-122)