PatchSiren cyber security CVE debrief

CVE-2017-6350 Vim CVE debrief

CVE-2017-6350 is a critical Vim vulnerability affecting versions through 8.0.0377. According to NVD and the vendor-linked patch reference, an integer overflow in unserialize_uep can occur when Vim fails to validate tree length values while reading a corrupted undo file, which may lead to buffer overflows. The vulnerability was publicly recorded on 2017-02-27, and the NVD entry was later modified on 2026-05-13; that later date reflects record maintenance, not the original issue date.

Vendor: Vim
Product: CVE-2017-6350
CVSS: CRITICAL 9.8
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-02-27
Original CVE updated: 2026-05-13
Advisory published: 2017-02-27
Advisory updated: 2026-05-13

Who should care

Administrators, Linux distribution maintainers, and anyone deploying or packaging Vim should care, especially if users may open untrusted or corrupted undo files. Security teams responsible for editor packages and workstation baselines should verify patched builds.

Technical summary

NVD classifies the flaw as CWE-190 (integer overflow) with CVSS 3.0 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). The issue is described as an insufficient validation problem in unserialize_uep's memory allocation path while processing tree-length data from a corrupted undo file. The affected CPE range in the record ends at Vim 8.0.0377, and the referenced fix is the upstream Vim commit 0c8485f0e4931463c0f7986e1ea84a7d79f10c75.

Defensive priority

High. This is a critical-severity memory corruption issue with a vendor-linked upstream fix and distro advisories. Prioritize patching or upgrading Vim wherever untrusted undo files might be encountered.

Recommended defensive actions

Upgrade Vim to a version that includes the upstream fix referenced by commit 0c8485f0e4931463c0f7986e1ea84a7d79f10c75, or ensure the package version is newer than 8.0.0377.
Verify enterprise package repositories and workstation images for affected Vim builds and replace any version at or below 8.0.0377.
Apply vendor or distribution security updates referenced in the advisory trail, including Gentoo GLSA 201706-26 and Ubuntu USN-4309-1 where applicable.
Restrict or review handling of untrusted or corrupted undo files in environments where editor inputs may come from external sources.
Add vulnerability management checks for Vim package versions to prevent reintroduction of vulnerable builds.

Evidence notes

This debrief is based on the supplied NVD record and its cited references. The key factual anchors are: the CVE description, the CVSS 3.0 vector and score, the CWE-190 classification, the affected version range ending at 8.0.0377, and the upstream patch commit reference. No exploit steps or reproduction guidance are included.

Official resources

CVE-2017-6350 CVE record
CVE.org
CVE-2017-6350 NVD detail
NVD
Source item URL
nvd_modified
Source reference
[email protected]
Source reference
[email protected]
Mitigation or vendor reference
[email protected] - Patch, Third Party Advisory
Source reference
[email protected]
Source reference
[email protected]
Source reference
[email protected]
Source reference
[email protected]

Publicly disclosed on 2017-02-27. The source record was later modified on 2026-05-13, but the issue date remains the original CVE publication date.