CVE-2017-6349 Vim CVE debrief

Who should care

Anyone running Vim 8.0.0376 or earlier, especially on systems that open untrusted or externally supplied undo files. This also matters to Linux distro maintainers and administrators responsible for packaged Vim builds.

Technical summary

According to NVD, the vulnerable range is vim versions up to and including 8.0.0376. The flaw is classified as CWE-190 (integer overflow) and occurs in the u_read_undo allocation path when parsing a corrupted undo file with invalid tree-length values. The listed upstream fix is the Vim commit 3eb1637b1bba19519885dd6d377bd5596e91d22c.

Defensive priority

Critical. Upgrade or backport the fix as soon as practical, because the issue is network-scorable as high impact and affects common editor workflows that may ingest untrusted file content.

Recommended defensive actions

• Upgrade Vim to a version that includes patch 8.0.0377 or later.
• If immediate upgrading is not possible, backport the upstream fix from commit 3eb1637b1bba19519885dd6d377bd5596e91d22c.
• Review deployment paths where Vim may open attacker-controlled or shared undo files.
• Prioritize vendor package updates for distributions that ship affected Vim builds.
• Confirm affected hosts are not pinned to version 8.0.0376 or earlier.
• Track downstream advisories such as Gentoo GLSA-201706-26 and Ubuntu USN-4309-1 for packaging guidance.

Evidence notes

The vulnerability description, CVSS 3.0 vector, and CWE-190 classification come from the official NVD record. The affected version boundary is taken from the NVD CPE criteria, which mark Vim versions through 8.0.0376 as vulnerable. The source corpus also includes the upstream Vim fix commit 3eb1637b1bba19519885dd6d377bd5596e91d22c and downstream advisories from Gentoo and Ubuntu.

Official resources