CVE-2021-3796: 
NixOS vulnerability analysis and mitigation

A use-after-free vulnerability was discovered in Vim text editor, identified as CVE-2021-3796. The vulnerability was found in the nv_replace() function in normal.c and affects Vim versions prior to 8.2.3428. The issue was discovered and disclosed in September 2021, affecting various distributions of Vim including Debian, Ubuntu, Fedora, and Red Hat systems (Red Hat CVE, Debian Tracker).

The vulnerability is a use-after-free memory error that occurs in the nv_replace() function within normal.c. When Vim is built with specific features (--with-features=huge --enable-gui=none) and address sanitizer, the vulnerability can be triggered through specially crafted input. The CVSS v3.1 base score for this vulnerability is 7.3 (High), with a vector of CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:H, indicating local attack vector, low attack complexity, no privileges required, and user interaction required (NetApp Security).

Successful exploitation of this vulnerability could lead to disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS). The vulnerability has high confidentiality impact, low integrity impact, and high availability impact (NetApp Security).

The vulnerability was fixed in Vim version 8.2.3428 through patch 8.2.3428. Various Linux distributions have released security updates to address this vulnerability. Users are advised to upgrade to the fixed version. For Fedora, updates were provided in vim-8.2.3512-1, for Ubuntu in version 2:8.2.2434-3ubuntu2, and for Debian in version 2:8.2.3455-1 (Fedora Update, Debian Tracker).