rpms/vim

Fork 0

[security][HIGH] vim 9.1.1552: 9 CVE require triage #4

New issue

Closed

opened 2026-04-29 04:37:31 +03:00 by sbelikov · 1 comment

sbelikov commented

2026-04-29 04:37:31 +03:00

Owner

CVE triage request / Запрос на разбор CVE

Package / Пакет

Package: vim
Version: 9.1.1552
EVR: 9.1.1552-1
Category: standard
Policy class: leaf
NiceOS policy class: -
Owner: base-team
Severity: HIGH
Max CVSS: 8.6
CVE count: 9

LLM recommendation / Рекомендация LLM

RU

Найдено 9 кандидатов на уязвимости (CVE) для пакета vim версии 9.1.1552. Большинство из них относятся к версиям 9.2.x, однако CVE-2025-66476 затрагивает ветку 9.1.x (до 9.1.1947). Требуется тщательная триаж для подтверждения применимости к текущей платформе и архитектуре.

Провести ручную проверку (triage) каждого CVE. Установить пакет на тестовую систему, проверить наличие уязвимых функций (например, netrw, netbeans, swap file recovery) и воспроизвести условия эксплуатации. Для CVE-2025-66476 проверить, используется ли Windows и cmd.exe.

Рекомендуемое действие: needs_triage

Подсказка по целевой версии: 9.1.1947

Проверки: 1. Проверить версию vim и наличие патчей безопасности в changelog.
2. Для CVE-2025-66476: Проверить ОС (Windows) и shell (cmd.exe).
3. Для CVE-2026-34714, 34982, 28417, 39881, 26269, 33412, 35177: Проверить наличие соответствующих плагинов (netrw, netbeans, zip.vim) и опций (guitabtooltip, printheader, mapset) в конфигурации vim.
4. Попытаться воспроизвести эксплойт с использованием crafted файлов или URL.

Риски: Выполнение произвольного кода (RCE) при открытии файлов, инъекция команд через URL или плагины, переполнение буфера и утечка памяти при работе с swap-файлами. Уязвимости могут быть эксплуатированы локально или удаленно в зависимости от контекста использования.

EN

9 CVE candidates identified for package vim version 9.1.1552. Most relate to version 9.2.x, but CVE-2025-66476 affects the 9.1.x branch (prior to 9.1.1947). Rigorous triage is required to confirm applicability to the current platform and architecture.

Perform manual triage for each CVE. Install the package on a test system, verify the presence of vulnerable features (e.g., netrw, netbeans, swap file recovery), and reproduce exploitation conditions. For CVE-2025-66476, verify if Windows and cmd.exe are in use.

Recommended action: needs_triage

Target version hint: 9.1.1947

Tests: 1. Verify vim version and security patches in changelog.
2. For CVE-2025-66476: Check OS (Windows) and shell (cmd.exe).
3. For CVE-2026-34714, 34982, 28417, 39881, 26269, 33412, 35177: Check for presence of relevant plugins (netrw, netbeans, zip.vim) and options (guitabtooltip, printheader, mapset) in vim configuration.
4. Attempt to reproduce the exploit using crafted files or URLs.

Risks: Arbitrary code execution (RCE) upon opening files, command injection via URLs or plugins, buffer overflow and memory leak when handling swap files. Vulnerabilities may be exploited locally or remotely depending on usage context.

CVE candidates from NVD/CPE

CVE	Severity	CVSS	Match	NiceOS status	Reason
CVE-2026-34714	HIGH	8.6	cpe-range	needs_triage	package version is inside version range
CVE-2026-34982	HIGH	8.2	cpe-range	needs_triage	package version is inside version range
CVE-2025-66476	HIGH	7.8	cpe-range	needs_triage	package version is inside version range
CVE-2026-28417	HIGH	7.8	cpe-range	needs_triage	package version is inside version range
CVE-2026-28421	HIGH	7.8	cpe-range	needs_triage	package version is inside version range
CVE-2026-39881	HIGH	7.8	cpe-range	needs_triage	package version is inside version range
CVE-2026-26269	HIGH	7.5	cpe-range	needs_triage	package version is inside version range
CVE-2026-33412	HIGH	7.3	cpe-range	needs_triage	package version is inside version range
CVE-2026-35177	HIGH	7.1	cpe-range	needs_triage	package version is inside version range

Descriptions

CVE-2026-34714

Vim before 9.2.0272 allows code execution that happens immediately upon opening a crafted file in the default configuration, because %{expr} injection occurs with tabpanel lacking P_MLE.

CVE-2026-34982

Vim is an open source, command line text editor. Prior to version 9.2.0276, a modeline sandbox bypass in Vim allows arbitrary OS command execution when a user opens a crafted file. The complete, guitabtooltip and printheader options are missing the P_MLE flag, allowing a modeline to be executed. Additionally, the mapset() function lacks a check_secure() call, allowing it to be abused from sandboxed expressions. Commit 9.2.0276 fixes the issue.

CVE-2025-66476

Vim is an open source, command line text editor. Prior to version 9.1.1947, an uncontrolled search path vulnerability on Windows allows Vim to execute malicious executables placed in the current working directory for the current edited file. On Windows, when using cmd.exe as a shell, Vim resolves external commands by searching the current working directory before system paths. When Vim invokes tools such as findstr for :grep, external commands or filters via :!, or compiler/:make commands, it may inadvertently run a malicious executable present in the same directory as the file being edited. The issue affects Vim for Windows prior to version 9.1.1947.

CVE-2026-28417

Vim is an open source, command line text editor. Prior to version 9.2.0073, an OS command injection vulnerability exists in the netrw standard plugin bundled with Vim. By inducing a user to open a crafted URL (e.g., using the scp:// protocol handler), an attacker can execute arbitrary shell commands with the privileges of the Vim process. Version 9.2.0073 fixes the issue.

CVE-2026-28421

Vim is an open source, command line text editor. Versions prior to 9.2.0077 have a heap-buffer-overflow and a segmentation fault (SEGV) exist in Vim's swap file recovery logic. Both are caused by unvalidated fields read from crafted pointer blocks within a swap file. Version 9.2.0077 fixes the issue.

CVE-2026-39881

Vim is an open source, command line text editor. Prior to 9.2.0316, a command injection vulnerability in Vim's netbeans interface allows a malicious netbeans server to execute arbitrary Ex commands when Vim connects to it, via unsanitized strings in the defineAnnoType and specialKeys protocol messages. This vulnerability is fixed in 9.2.0316.

CVE-2026-26269

Vim is an open source, command line text editor. Prior to 9.1.2148, a stack buffer overflow vulnerability exists in Vim's NetBeans integration when processing the specialKeys command, affecting Vim builds that enable and use the NetBeans feature. The Stack buffer overflow exists in special_keys() (in src/netbeans.c). The while (*tok) loop writes two bytes per iteration into a 64-byte stack buffer (keybuf) with no bounds check. A malicious NetBeans server can overflow keybuf with a single specialKeys command. The issue has been fixed as of Vim patch v9.1.2148.

CVE-2026-33412

Vim is an open source, command line text editor. Prior to version 9.2.0202, a command injection vulnerability exists in Vim's glob() function on Unix-like systems. By including a newline character (\n) in a pattern passed to glob(), an attacker may be able to execute arbitrary shell commands. This vulnerability depends on the user's 'shell' setting. This issue has been patched in version 9.2.0202.

CVE-2026-35177

Vim is an open source, command line text editor. Prior to 9.2.0280, a path traversal bypass in Vim's zip.vim plugin allows overwriting of arbitrary files when opening specially crafted zip archives, circumventing the previous fix for CVE-2025-53906. This vulnerability is fixed in 9.2.0280.

Maintainer checklist

Verify whether each CVE applies to the NiceOS build.
Compare NVD data with upstream/vendor advisory.
Set final NiceOS status: affected, fixed, not_affected, false_positive, deferred, or not_in_cloud_image.
If affected, decide update/backport strategy according to package policy class.
Run package-class-specific build, upgrade and regression tests.
Add/update niceos_cve_triage entry.
Create NICE-SA advisory if a security update is shipped.

Machine metadata

{
  "cves": [
    "CVE-2025-66476",
    "CVE-2026-26269",
    "CVE-2026-28417",
    "CVE-2026-28421",
    "CVE-2026-33412",
    "CVE-2026-34714",
    "CVE-2026-34982",
    "CVE-2026-35177",
    "CVE-2026-39881"
  ],
  "fingerprint": "eaac81d52b268c5b1556",
  "generated_at": "2026-04-29T01:37:30Z",
  "package": "vim",
  "prompt_version": "niceos_cve_issue_analysis_v1",
  "tool": "niceos_cve_create_issues.py",
  "tool_version": "1.0",
  "version": "9.1.1552"
}

# CVE triage request / Запрос на разбор CVE ## Package / Пакет - Package: `vim` - Version: `9.1.1552` - EVR: `9.1.1552-1` - Category: `standard` - Policy class: `leaf` - NiceOS policy class: `-` - Owner: `base-team` - Severity: `HIGH` - Max CVSS: `8.6` - CVE count: `9` ## LLM recommendation / Рекомендация LLM ### RU Найдено 9 кандидатов на уязвимости (CVE) для пакета vim версии 9.1.1552. Большинство из них относятся к версиям 9.2.x, однако CVE-2025-66476 затрагивает ветку 9.1.x (до 9.1.1947). Требуется тщательная триаж для подтверждения применимости к текущей платформе и архитектуре. Провести ручную проверку (triage) каждого CVE. Установить пакет на тестовую систему, проверить наличие уязвимых функций (например, netrw, netbeans, swap file recovery) и воспроизвести условия эксплуатации. Для CVE-2025-66476 проверить, используется ли Windows и cmd.exe. **Рекомендуемое действие:** `needs_triage` **Подсказка по целевой версии:** `9.1.1947` **Проверки:** 1. Проверить версию vim и наличие патчей безопасности в changelog. 2. Для CVE-2025-66476: Проверить ОС (Windows) и shell (cmd.exe). 3. Для CVE-2026-34714, 34982, 28417, 39881, 26269, 33412, 35177: Проверить наличие соответствующих плагинов (netrw, netbeans, zip.vim) и опций (guitabtooltip, printheader, mapset) в конфигурации vim. 4. Попытаться воспроизвести эксплойт с использованием crafted файлов или URL. **Риски:** Выполнение произвольного кода (RCE) при открытии файлов, инъекция команд через URL или плагины, переполнение буфера и утечка памяти при работе с swap-файлами. Уязвимости могут быть эксплуатированы локально или удаленно в зависимости от контекста использования. ### EN 9 CVE candidates identified for package vim version 9.1.1552. Most relate to version 9.2.x, but CVE-2025-66476 affects the 9.1.x branch (prior to 9.1.1947). Rigorous triage is required to confirm applicability to the current platform and architecture. Perform manual triage for each CVE. Install the package on a test system, verify the presence of vulnerable features (e.g., netrw, netbeans, swap file recovery), and reproduce exploitation conditions. For CVE-2025-66476, verify if Windows and cmd.exe are in use. **Recommended action:** `needs_triage` **Target version hint:** `9.1.1947` **Tests:** 1. Verify vim version and security patches in changelog. 2. For CVE-2025-66476: Check OS (Windows) and shell (cmd.exe). 3. For CVE-2026-34714, 34982, 28417, 39881, 26269, 33412, 35177: Check for presence of relevant plugins (netrw, netbeans, zip.vim) and options (guitabtooltip, printheader, mapset) in vim configuration. 4. Attempt to reproduce the exploit using crafted files or URLs. **Risks:** Arbitrary code execution (RCE) upon opening files, command injection via URLs or plugins, buffer overflow and memory leak when handling swap files. Vulnerabilities may be exploited locally or remotely depending on usage context. ## CVE candidates from NVD/CPE | CVE | Severity | CVSS | Match | NiceOS status | Reason | |---|---|---:|---|---|---| | CVE-2026-34714 | HIGH | 8.6 | cpe-range | needs_triage | package version is inside version range | | CVE-2026-34982 | HIGH | 8.2 | cpe-range | needs_triage | package version is inside version range | | CVE-2025-66476 | HIGH | 7.8 | cpe-range | needs_triage | package version is inside version range | | CVE-2026-28417 | HIGH | 7.8 | cpe-range | needs_triage | package version is inside version range | | CVE-2026-28421 | HIGH | 7.8 | cpe-range | needs_triage | package version is inside version range | | CVE-2026-39881 | HIGH | 7.8 | cpe-range | needs_triage | package version is inside version range | | CVE-2026-26269 | HIGH | 7.5 | cpe-range | needs_triage | package version is inside version range | | CVE-2026-33412 | HIGH | 7.3 | cpe-range | needs_triage | package version is inside version range | | CVE-2026-35177 | HIGH | 7.1 | cpe-range | needs_triage | package version is inside version range | ## Descriptions ### CVE-2026-34714 Vim before 9.2.0272 allows code execution that happens immediately upon opening a crafted file in the default configuration, because %{expr} injection occurs with tabpanel lacking P_MLE. ### CVE-2026-34982 Vim is an open source, command line text editor. Prior to version 9.2.0276, a modeline sandbox bypass in Vim allows arbitrary OS command execution when a user opens a crafted file. The `complete`, `guitabtooltip` and `printheader` options are missing the `P_MLE` flag, allowing a modeline to be executed. Additionally, the `mapset()` function lacks a `check_secure()` call, allowing it to be abused from sandboxed expressions. Commit 9.2.0276 fixes the issue. ### CVE-2025-66476 Vim is an open source, command line text editor. Prior to version 9.1.1947, an uncontrolled search path vulnerability on Windows allows Vim to execute malicious executables placed in the current working directory for the current edited file. On Windows, when using cmd.exe as a shell, Vim resolves external commands by searching the current working directory before system paths. When Vim invokes tools such as findstr for :grep, external commands or filters via :!, or compiler/:make commands, it may inadvertently run a malicious executable present in the same directory as the file being edited. The issue affects Vim for Windows prior to version 9.1.1947. ### CVE-2026-28417 Vim is an open source, command line text editor. Prior to version 9.2.0073, an OS command injection vulnerability exists in the `netrw` standard plugin bundled with Vim. By inducing a user to open a crafted URL (e.g., using the `scp://` protocol handler), an attacker can execute arbitrary shell commands with the privileges of the Vim process. Version 9.2.0073 fixes the issue. ### CVE-2026-28421 Vim is an open source, command line text editor. Versions prior to 9.2.0077 have a heap-buffer-overflow and a segmentation fault (SEGV) exist in Vim's swap file recovery logic. Both are caused by unvalidated fields read from crafted pointer blocks within a swap file. Version 9.2.0077 fixes the issue. ### CVE-2026-39881 Vim is an open source, command line text editor. Prior to 9.2.0316, a command injection vulnerability in Vim's netbeans interface allows a malicious netbeans server to execute arbitrary Ex commands when Vim connects to it, via unsanitized strings in the defineAnnoType and specialKeys protocol messages. This vulnerability is fixed in 9.2.0316. ### CVE-2026-26269 Vim is an open source, command line text editor. Prior to 9.1.2148, a stack buffer overflow vulnerability exists in Vim's NetBeans integration when processing the specialKeys command, affecting Vim builds that enable and use the NetBeans feature. The Stack buffer overflow exists in special_keys() (in src/netbeans.c). The while (*tok) loop writes two bytes per iteration into a 64-byte stack buffer (keybuf) with no bounds check. A malicious NetBeans server can overflow keybuf with a single specialKeys command. The issue has been fixed as of Vim patch v9.1.2148. ### CVE-2026-33412 Vim is an open source, command line text editor. Prior to version 9.2.0202, a command injection vulnerability exists in Vim's glob() function on Unix-like systems. By including a newline character (\n) in a pattern passed to glob(), an attacker may be able to execute arbitrary shell commands. This vulnerability depends on the user's 'shell' setting. This issue has been patched in version 9.2.0202. ### CVE-2026-35177 Vim is an open source, command line text editor. Prior to 9.2.0280, a path traversal bypass in Vim's zip.vim plugin allows overwriting of arbitrary files when opening specially crafted zip archives, circumventing the previous fix for CVE-2025-53906. This vulnerability is fixed in 9.2.0280. ## Maintainer checklist - [ ] Verify whether each CVE applies to the NiceOS build. - [ ] Compare NVD data with upstream/vendor advisory. - [ ] Set final NiceOS status: `affected`, `fixed`, `not_affected`, `false_positive`, `deferred`, or `not_in_cloud_image`. - [ ] If affected, decide update/backport strategy according to package policy class. - [ ] Run package-class-specific build, upgrade and regression tests. - [ ] Add/update `niceos_cve_triage` entry. - [ ] Create `NICE-SA` advisory if a security update is shipped. ## Machine metadata ```json { "cves": [ "CVE-2025-66476", "CVE-2026-26269", "CVE-2026-28417", "CVE-2026-28421", "CVE-2026-33412", "CVE-2026-34714", "CVE-2026-34982", "CVE-2026-35177", "CVE-2026-39881" ], "fingerprint": "eaac81d52b268c5b1556", "generated_at": "2026-04-29T01:37:30Z", "package": "vim", "prompt_version": "niceos_cve_issue_analysis_v1", "tool": "niceos_cve_create_issues.py", "tool_version": "1.0", "version": "9.1.1552" } ```

sbelikov added the

labels

2026-04-29 04:37:31 +03:00

sbelikov commented

2026-04-29 23:39:24 +03:00

Author

Owner

Fixed in vim-9.2.0420-1 on branch niceos-5.2.

Triage result:

CVE	NiceOS status	Resolution
CVE-2025-66476	fixed / not affected at runtime	Upstream fixed in 9.1.1947. NiceOS updated from 9.1.1552-1 to 9.2.0420-1. This issue is Windows/cmd.exe-specific, so it is not applicable to NiceOS/Linux runtime, but the package version is also above the upstream fixed version.
CVE-2026-26269	fixed	Upstream fixed in 9.1.2148. NiceOS updated to 9.2.0420-1. NiceOS build also uses `--disable-netbeans`.
CVE-2026-28417	fixed	Upstream fixed in 9.2.0073. NiceOS updated to 9.2.0420-1.
CVE-2026-28421	fixed	Upstream fixed in 9.2.0077. NiceOS updated to 9.2.0420-1.
CVE-2026-33412	fixed	Upstream fixed in 9.2.0202. NiceOS updated to 9.2.0420-1.
CVE-2026-34714	fixed	Upstream fixed before 9.2.0420. NiceOS updated to 9.2.0420-1.
CVE-2026-34982	fixed	Upstream fixed in 9.2.0276. NiceOS updated to 9.2.0420-1.
CVE-2026-35177	fixed	Upstream fixed in 9.2.0280. NiceOS updated to 9.2.0420-1.
CVE-2026-39881	fixed	Upstream fixed in 9.2.0316. NiceOS updated to 9.2.0420-1. NiceOS build also uses `--disable-netbeans`.

Verification:

Branch niceos-5.2 contains vim-9.2.0420-1.
SOURCES/sources.lock.json points to vim-9.2.0420.tar.gz.
Build completed successfully.
Upgrade test completed successfully.
vim --version confirms version 9.2.0420.
vim --version confirms -netbeans in the NiceOS build.
Basic smoke test completed successfully.

Closing as fixed.

Fixed in `vim-9.2.0420-1` on branch `niceos-5.2`. Triage result: | CVE | NiceOS status | Resolution | |---|---|---| | CVE-2025-66476 | fixed / not affected at runtime | Upstream fixed in 9.1.1947. NiceOS updated from 9.1.1552-1 to 9.2.0420-1. This issue is Windows/cmd.exe-specific, so it is not applicable to NiceOS/Linux runtime, but the package version is also above the upstream fixed version. | | CVE-2026-26269 | fixed | Upstream fixed in 9.1.2148. NiceOS updated to 9.2.0420-1. NiceOS build also uses `--disable-netbeans`. | | CVE-2026-28417 | fixed | Upstream fixed in 9.2.0073. NiceOS updated to 9.2.0420-1. | | CVE-2026-28421 | fixed | Upstream fixed in 9.2.0077. NiceOS updated to 9.2.0420-1. | | CVE-2026-33412 | fixed | Upstream fixed in 9.2.0202. NiceOS updated to 9.2.0420-1. | | CVE-2026-34714 | fixed | Upstream fixed before 9.2.0420. NiceOS updated to 9.2.0420-1. | | CVE-2026-34982 | fixed | Upstream fixed in 9.2.0276. NiceOS updated to 9.2.0420-1. | | CVE-2026-35177 | fixed | Upstream fixed in 9.2.0280. NiceOS updated to 9.2.0420-1. | | CVE-2026-39881 | fixed | Upstream fixed in 9.2.0316. NiceOS updated to 9.2.0420-1. NiceOS build also uses `--disable-netbeans`. | Verification: - Branch `niceos-5.2` contains `vim-9.2.0420-1`. - `SOURCES/sources.lock.json` points to `vim-9.2.0420.tar.gz`. - Build completed successfully. - Upgrade test completed successfully. - `vim --version` confirms version 9.2.0420. - `vim --version` confirms `-netbeans` in the NiceOS build. - Basic smoke test completed successfully. Closing as fixed.

sbelikov closed this issue

2026-04-29 23:39:24 +03:00