Vim Vulnerability Allows Arbitrary Command Execution via Malicious Files

A high-severity vulnerability in the Vim text editor, tracked under GitHub Security Advisory GHSA-2gmj-rpqf-pxvh, allows an attacker to achieve full arbitrary OS command execution simply by persuading a user to open a specially crafted file.

The flaw, disclosed on March 30, 2026, affects all Vim versions before 9.2.0272 and has been assigned CWE-78 (Improper Neutralization of Special Elements used in an OS Command OS Command Injection). A CVE identifier has not yet been assigned.

Vulnerability Overview

Advisory GHSA-2gmj-rpqf-pxvh carries a High severity rating and is classified under CWE-78 (OS Command Injection), though a CVE identifier has not yet been assigned.

The vulnerability affects Vim versions before 9.2.0172 and was fully remediated in patched version 9.2.0272. Disclosed on March 30, 2026, the flaw was reported by security researcher Hung Nguyen and published by Chrisbra, a core Vim maintainer.

The vulnerability stems from a bug chain involving two separate Vim components: the tabpanel option and the autocmd_add() function.

The tabpanel option in src/optiondefs.h accepts %{expr} format strings the same way statusline and tabline do — but critically lacks the P_MLE flag.

That flag is what normally enforces the requirement  modelineexpr to be enabled before expressions can be evaluated from a modeline.

Because tabpanel never carries this flag, the modeline security check  src/option.c:1572–1576 is never reached, meaning arbitrary expression strings embedded in a modeline are accepted and parsed without restriction.​

Vim does partially mitigate this by detecting the insecure origin of the option and running the expression inside its sandbox, an isolated evaluation environment designed to block dangerous operations.

However, the second flaw undermines the sandbox’s protection entirely. The autocmd_add() function at src/autocmd.c:3316 contains no check_secure() call.

While the :autocmd Ex command is correctly blocked inside the sandbox (it lacks the EX_SBOXOK flag), the function interface for autocmd_add() entirely bypasses this restriction.

This allows sandboxed code to quietly register an autocommand that executes only after the sandbox has already exited, effectively breaking out of the sandbox in a deferred manner.

The attack requires no special configuration on the victim’s side. Vim’s modeline The feature is enabled by default, and modelineexpr does not need to be turned on.

Any Vim build compiled with +tabpanel (which corresponds to FEAT_HUGE, the standard default build) is affected. An attacker needs only to:​

1. Craft a malicious text file embedding a weaponized modeline that sets tabpanel with a %{expr} injection string.
2. Deliver the file to a target via email attachment, shared repository, or download.
3. Wait for the victim to open the file in Vim.

No further interaction is required. Upon opening, the modeline is parsed, the malicious expression is injected, the sandbox is bypassed via the deferred autocommand, and arbitrary OS commands execute with the full privileges of the user running Vim.

This class of attack has historical precedent in Vim’s modeline subsystem, in a similar sandbox escape (CVE-2019-12735) that affected Vim versions before 8.1.1365.

Root Cause Summary

The root cause is a two-step oversight:

• Missing P_MLE flag on the tabpanel option bypasses the modeline expression guard, allowing unapproved %{expr} strings to be accepted from untrusted file modelines.
• Missing check_secure() in autocmd_add() allows code running inside the sandbox to register post-sandbox autocommands, defeating the sandbox’s isolation guarantees.

Together, these two gaps form a complete exploit chain that does not require any unusual Vim configuration or user interaction beyond simply opening the file.

The Vim project has addressed the issue in patch v9.2.0272, available on the official Vim GitHub releases page. The fix was committed under the commit hash 664701eb7576edb7c7c7d9f2d600815ec1f43459.

• Update Vim immediately to version 9.2.0272 or later.
• Disable modelines entirely by adding set nomodeline to /etc/vim/vimrc or ~/.vimrc if upgrading is not immediately possible.​
• Administrators managing shared Linux environments should consider deploying the patch via system package managers (apt, yum, dnf, pacman) as distribution maintainers update their repositories.
• Security teams should flag Vim versions below 9.2.0272 in vulnerability management and patch compliance tooling

The vulnerability chain was identified by Hung Nguyen, who provided a detailed root cause analysis, reproduction steps, and suggested fixes to the Vim project. The advisory was published by Vim maintainer Chrisbra.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google

The post Vim Vulnerability Allows Arbitrary Command Execution via Malicious Files appeared first on Cyber Security News.