CVE-2021-4166
Published: 25 December 2021
vim is vulnerable to Out-of-bounds Read
Notes
| Author | Note |
|---|---|
| ccdm94 | code in bionic and earlier does not include file src/arglist.c, which is the patched file. The patched code for these releases seems to be instead present in src/buffer.c, as seen in commit 4ad62155a10. Changes that led to the creation of file arglist.c and changes made to the code that follow the creation of this file are significant, which would result in an intrusive backport should the altered CVE patch and other necessary changes be applied in bionic and earlier. Consequently, the issue will be marked as ignored for the previously mentioned releases. |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
vim Launchpad, Ubuntu, Debian |
bionic |
Ignored
(see notes)
|
| focal |
Released
(2:8.1.2269-1ubuntu5.14)
|
|
| hirsute |
Ignored
(reached end-of-life)
|
|
| impish |
Ignored
(reached end-of-life)
|
|
| jammy |
Not vulnerable
(2:8.2.3995-1ubuntu2)
|
|
| kinetic |
Not vulnerable
(2:8.2.3995-1ubuntu3)
|
|
| trusty |
Ignored
(see notes)
|
|
| upstream |
Released
(8.2.3884)
|
|
| xenial |
Ignored
(see notes)
|
|
|
Patches: upstream: https://github.com/vim/vim/commit/6f98371532fcff911b462d51bc64f2ce8a6ae682 |
||
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 7.1 |
| Attack vector | Local |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | Required |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | None |
| Availability impact | High |
| Vector | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H |