Skip to main content

Vim CVE-2026-33412

| EUVDEUVD-2026-14998 HIGH
OS Command Injection (CWE-78)
2026-03-24 GitHub_M
7.3
CVSS 3.1 · NVD
Temporal: 5.6
Share

Severity by source

NVD PRIMARY
7.3 HIGH
AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
CIRCL (temporal)
5.6 MEDIUM
cvss
vuln.today AI
7.8 HIGH

Local because expansion runs on the victim host (AV:L), no attacker account needed (PR:N), but the victim must process the malicious pattern (UI:R), yielding full command execution as the user (C/I/A:H).

3.1 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Ubuntu
MEDIUM
qualitative
SUSE
5.6 MEDIUM
AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N
Red Hat
7.3 HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

12
Analysis Updated
Jun 30, 2026 - 04:49 vuln.today
v5 (cvss_changed)
Analysis Updated
Jun 30, 2026 - 04:48 vuln.today
v4 (cvss_changed)
Analysis Updated
Jun 30, 2026 - 04:47 vuln.today
v3 (cvss_changed)
Source Code Evidence Fetched
Jun 30, 2026 - 04:47 vuln.today
Analysis Updated
Jun 30, 2026 - 04:47 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 30, 2026 - 03:24 vuln.today
cvss_changed
Severity Changed
Jun 30, 2026 - 03:24 NVD
MEDIUM HIGH
CVSS changed
Jun 30, 2026 - 03:24 NVD
5.6 (MEDIUM) 7.3 (HIGH)
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 24, 2026 - 20:00 euvd
EUVD-2026-14998
Analysis Generated
Mar 24, 2026 - 20:00 vuln.today
CVE Published
Mar 24, 2026 - 19:43 nvd
MEDIUM 5.6

DescriptionNVD

Vim is an open source, command line text editor. Prior to version 9.2.0202, a command injection vulnerability exists in Vim's glob() function on Unix-like systems. By including a newline character (\n) in a pattern passed to glob(), an attacker may be able to execute arbitrary shell commands. This vulnerability depends on the user's 'shell' setting. This issue has been patched in version 9.2.0202.

AnalysisAI

Arbitrary shell command execution in Vim before 9.2.0202 occurs when its glob() function expands a pattern containing a newline (\n) on Unix-like systems, causing text after the newline to be passed to and executed by the user's configured 'shell'. Any workflow that feeds attacker-influenced patterns to glob() - scripts, plugins, or processing of untrusted files - can be abused to run commands with the victim's privileges. EPSS is very low (0.05%, 15th percentile) and CISA SSVC reports no observed exploitation, so this is currently no public exploit identified at time of analysis despite a 'total' technical-impact rating.

Technical ContextAI

Vim is a ubiquitous open-source modal text editor; the flaw is a CWE-78 OS command injection. On Unix-like platforms Vim's wildcard expansion (mch_expandpath in src/os_unix.c) builds a shell command line to resolve glob patterns and escapes a fixed set of shell-special characters via the SHELL_SPECIAL macro. The vendor commit 645ed65 pinpoints the bug: the original SHELL_SPECIAL list (\t \"&'$;<>()\\|) omitted the newline character, so a '\n' inside a pattern reached the shell invocation unescaped, letting the shell treat the following text as a separate command. Because expansion is delegated to the user's 'shell' option, exploitability depends on which shell is configured. The fix simply adds '\n' to SHELL_SPECIAL. The affected CPE is cpe:2.3:a:vim:vim:*:*:*:*:*:*:*:* for all versions prior to 9.2.0202.

RemediationAI

Vendor-released patch: 9.2.0202 - upgrade Vim to 9.2.0202 or later (release https://github.com/vim/vim/releases/tag/v9.2.0202, fixing commit 645ed6597d1ea896c712cd7ddbb6edee79577e9a). On managed Linux systems apply the corresponding distribution updates rather than building from source: Ubuntu USN-8171-1 (https://ubuntu.com/security/notices/USN-8171-1), Debian's vim packages (bug#1131450), and the relevant Red Hat erratum such as RHSA-2026:7711 (https://access.redhat.com/errata/RHSA-2026:7711). Until patched, avoid passing untrusted or externally-derived strings to glob()/wildcard expansion in Vimscript, treat untrusted files, plugins, and modelines with caution, and as a configuration-level mitigation consider pointing the 'shell' option at a shell less prone to command chaining or disabling plugins that perform glob expansion on attacker-controlled input - note these workarounds reduce convenience and may break plugins or scripts that rely on shell-based expansion, so the version upgrade is strongly preferred.

More in Vim

View all
CVE-2022-3520 CRITICAL POC
9.8 Dec 02

Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0765. Rated critical severity (CVSS 9.8), this vuln

CVE-2022-0729 HIGH POC
8.8 Feb 23

Use of Out-of-range Pointer Offset in GitHub repository vim/vim prior to 8.2.4440. Rated high severity (CVSS 8.8), this

CVE-2026-34714 HIGH POC
8.6 Mar 30

{expr} payload embedded in a modeline to be evaluated even when the protective 'modelineexpr' setting is off (the defaul

CVE-2019-12735 HIGH POC
8.6 Jun 05

getchar.c in Vim before 8.1.1365 and Neovim before 0.3.6 allows remote attackers to execute arbitrary OS commands via th

CVE-2021-3968 HIGH POC
8.0 Nov 19

vim is vulnerable to Heap-based Buffer Overflow. Rated high severity (CVSS 8.0), this vulnerability is remotely exploita

CVE-2023-4735 HIGH POC
7.8 Sep 02

Out-of-bounds Write in GitHub repository vim/vim prior to 9.0.1847. Rated high severity (CVSS 7.8), this vulnerability i

CVE-2023-4781 HIGH POC
7.8 Sep 05

Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1873. Rated high severity (CVSS 7.8), this vulnerab

CVE-2023-4734 HIGH POC
7.8 Sep 02

Integer Overflow or Wraparound in GitHub repository vim/vim prior to 9.0.1846. Rated high severity (CVSS 7.8), this vuln

CVE-2023-4733 HIGH POC
7.8 Sep 04

Use After Free in GitHub repository vim/vim prior to 9.0.1840. Rated high severity (CVSS 7.8), this vulnerability is no

CVE-2023-4750 HIGH POC
7.8 Sep 04

Use After Free in GitHub repository vim/vim prior to 9.0.1857. Rated high severity (CVSS 7.8), this vulnerability is no

CVE-2023-4736 HIGH POC
7.8 Sep 02

Untrusted Search Path in GitHub repository vim/vim prior to 9.0.1833. Rated high severity (CVSS 7.8), this vulnerability

CVE-2023-2610 HIGH POC
7.8 May 09

Integer Overflow or Wraparound in GitHub repository vim/vim prior to 9.0.1532. Rated high severity (CVSS 7.8), this vuln

Vendor StatusVendor

Ubuntu

Priority: Medium
vim
Release Status Version
trusty needs-triage -
xenial needs-triage -
bionic needs-triage -
focal needs-triage -
jammy needs-triage -
noble needs-triage -
questing needs-triage -
upstream needs-triage -

Debian

Bug #1131450
vim
Release Status Fixed Version Urgency
bullseye vulnerable 2:8.2.2434-3+deb11u1 -
bullseye (security) vulnerable 2:8.2.2434-3+deb11u3 -
bookworm vulnerable 2:9.0.1378-2+deb12u2 -
trixie vulnerable 2:9.1.1230-2 -
forky vulnerable 2:9.1.2141-1 -
sid fixed 2:9.2.0218-1 -
(unstable) fixed 2:9.2.0218-1 -

SUSE

Severity: Medium
Product Status
Container suse/sl-micro/6.0/baremetal-os-container:2.1.3-6.162 Affected
Container suse/sl-micro/6.0/toolbox:13.2-9.95 Affected
Container suse/sl-micro/6.1/baremetal-os-container:2.2.1-7.91 Affected
Container suse/sle-micro-rancher/5.2:latest Affected
Container suse/sle-micro/5.2/toolbox:14.2-7.11.272 Affected

Share

CVE-2026-33412 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy