Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN351
_____________________________________________________________________

DATE                : 01/04/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Vim versions prior to 9.2.0276.

=====================================================================
https://github.com/vim/vim/security/advisories/GHSA-8h6p-m6gr-mpw9
_____________________________________________________________________


Vim modeline bypass via various options affects Vim < 9.2.0276
High
chrisbra published GHSA-8h6p-m6gr-mpw9 Mar 31, 2026

Package
Vim (Vim)

Affected versions
< 9.2.0276

Patched versions
9.2.0276


Description
Vim modeline bypass via various options affects Vim < 9.2.0276

Date: 31.03.2026
Severity: High
CVE: CVE-2026-34982
CWE: Improper Neutralization of Special Elements used in an OS
Command ('OS Command Injection') (CWE-78)


Summary

A modeline sandbox bypass in Vim allows arbitrary OS command
execution when a user opens a crafted file. The complete,
guitabtooltip and printheader options are missing the P_MLE flag,
allowing a modeline to be executed. 
Additionally, the mapset() function lacks a check_secure() call,
allowing it to be abused from sandboxed expressions.


Description

The complete option (src/optiondefs.h:684) accepts F{func} syntax
to register completion callbacks (added in patch 9.1.1178), similar
to how completefunc works. However, unlike completefunc which has
P_SECURE, complete has neither P_SECURE nor P_MLE, so the modeline
security check at src/option.c:1565-1571 is bypassed and arbitrary
lambda expressions are accepted from modelines.

Similar effects can be achieved by setting the guitabtooltip and
printheader options via a modeline and abusing the mapset() function
to execute arbitrary code on random key mappings.


Impact

An attacker who can deliver a crafted file to a victim achieves
arbitrary command execution with the privileges of the user running
Vim.


Acknowledgements

The Vim project would like to thank "dfwjj x" and "Avishay Matayev" for
identifying the vulnerability chain, providing a detailed root cause
analysis and reproduction steps


References

The issue has been fixed as of Vim patch v9.2.0276

    Commit
    GitHub Advisory

Severity
High
8.2/ 10

CVSS v3 base metrics
Attack vector
Local
Attack complexity
Low
Privileges required
None
User interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

CVE ID
CVE-2026-34982

Weaknesses
Weakness CWE-78

Credits

    @Avishayy Avishayy Reporter



=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================