Debian Vim vulnerabilities

CVE-2026-34982 [HIGH] CVE-2026-34982: vim - Vim is an open source, command line text editor. Prior to version 9.2.0276, a mo... Vim is an open source, command line text editor. Prior to version 9.2.0276, a modeline sandbox bypass in Vim allows arbitrary OS command execution when a user opens a crafted file. The `complete`, `guitabtooltip` and `printheader` options are missing the `P_MLE` flag, allowing a modeline to be executed. Additionally, the `mapset()` function lacks a `check_secure()` call

CVE-2026-25749 [MEDIUM] CVE-2026-25749: vim - Vim is an open source, command line text editor. Prior to version 9.1.2132, a he... Vim is an open source, command line text editor. Prior to version 9.1.2132, a heap buffer overflow vulnerability exists in Vim's tag file resolution logic when processing the 'helpfile' option. The vulnerability is located in the get_tagfname() function in src/tag.c. When processing help file tags, Vim copies the user-controlled 'helpfile' option value into a fixed-si

CVE-2026-28417 [MEDIUM] CVE-2026-28417: vim - Vim is an open source, command line text editor. Prior to version 9.2.0073, an O... Vim is an open source, command line text editor. Prior to version 9.2.0073, an OS command injection vulnerability exists in the `netrw` standard plugin bundled with Vim. By inducing a user to open a crafted URL (e.g., using the `scp://` protocol handler), an attacker can execute arbitrary shell commands with the privileges of the Vim process. Version 9.2.0073 fixes th

CVE-2026-28421 [MEDIUM] CVE-2026-28421: vim - Vim is an open source, command line text editor. Versions prior to 9.2.0077 have... Vim is an open source, command line text editor. Versions prior to 9.2.0077 have a heap-buffer-overflow and a segmentation fault (SEGV) exist in Vim's swap file recovery logic. Both are caused by unvalidated fields read from crafted pointer blocks within a swap file. Version 9.2.0077 fixes the issue. Scope: local bookworm: open bullseye: open forky: resolved (fixed in

CVE-2026-28418 [MEDIUM] CVE-2026-28418: vim - Vim is an open source, command line text editor. Prior to version 9.2.0074, a he... Vim is an open source, command line text editor. Prior to version 9.2.0074, a heap-based buffer overflow out-of-bounds read exists in Vim's Emacs-style tags file parsing logic. When processing a malformed tags file, Vim can be tricked into reading up to 7 bytes beyond the allocated memory boundary. Version 9.2.0074 fixes the issue. Scope: local bookworm: open bullseye

CVE-2026-26269 [MEDIUM] CVE-2026-26269: vim - Vim is an open source, command line text editor. Prior to 9.1.2148, a stack buff... Vim is an open source, command line text editor. Prior to 9.1.2148, a stack buffer overflow vulnerability exists in Vim's NetBeans integration when processing the specialKeys command, affecting Vim builds that enable and use the NetBeans feature. The Stack buffer overflow exists in special_keys() (in src/netbeans.c). The while (*tok) loop writes two bytes per iteratio

CVE-2026-33412 [MEDIUM] CVE-2026-33412: vim - Vim is an open source, command line text editor. Prior to version 9.2.0202, a co... Vim is an open source, command line text editor. Prior to version 9.2.0202, a command injection vulnerability exists in Vim's glob() function on Unix-like systems. By including a newline character (\n) in a pattern passed to glob(), an attacker may be able to execute arbitrary shell commands. This vulnerability depends on the user's 'shell' setting. This issue has bee

CVE-2026-39881 [MEDIUM] CVE-2026-39881: vim - Vim is an open source, command line text editor. Prior to 9.2.0316, a command in... Vim is an open source, command line text editor. Prior to 9.2.0316, a command injection vulnerability in Vim's netbeans interface allows a malicious netbeans server to execute arbitrary Ex commands when Vim connects to it, via unsanitized strings in the defineAnnoType and specialKeys protocol messages. This vulnerability is fixed in 9.2.0316. Scope: local bookworm: op

CVE-2026-28420 [MEDIUM] CVE-2026-28420: vim - Vim is an open source, command line text editor. Prior to version 9.2.0076, a he... Vim is an open source, command line text editor. Prior to version 9.2.0076, a heap-based buffer overflow WRITE and an out-of-bounds READ exist in Vim's terminal emulator when processing maximum combining characters from Unicode supplementary planes. Version 9.2.0076 fixes the issue. Scope: local bookworm: open bullseye: open forky: resolved (fixed in 2:9.2.0119-1) sid

CVE-2026-28419 [MEDIUM] CVE-2026-28419: vim - Vim is an open source, command line text editor. Prior to version 9.2.0075, a he... Vim is an open source, command line text editor. Prior to version 9.2.0075, a heap-based buffer underflow exists in Vim's Emacs-style tags file parsing logic. When processing a malformed tags file where a delimiter appears at the start of a line, Vim attempts to read memory immediately preceding the allocated buffer. Version 9.2.0075 fixes the issue. Scope: local book

CVE-2026-35177 [MEDIUM] CVE-2026-35177: vim - Vim is an open source, command line text editor. Prior to 9.2.0280, a path trave... Vim is an open source, command line text editor. Prior to 9.2.0280, a path traversal bypass in Vim's zip.vim plugin allows overwriting of arbitrary files when opening specially crafted zip archives, circumventing the previous fix for CVE-2025-53906. This vulnerability is fixed in 9.2.0280. Scope: local bookworm: open bullseye: open forky: open sid: resolved (fixed in

CVE-2026-28422 [LOW] CVE-2026-28422: vim - Vim is an open source, command line text editor. Prior to version 9.2.0078, a st... Vim is an open source, command line text editor. Prior to version 9.2.0078, a stack-buffer-overflow occurs in `build_stl_str_hl()` when rendering a statusline with a multi-byte fill character on a very wide terminal. Version 9.2.0078 patches the issue. Scope: local bookworm: open bullseye: open forky: resolved (fixed in 2:9.2.0119-1) sid: resolved (fixed in 2:9.2.0119-1)

CVE-2026-34714 [CRITICAL] CVE-2026-34714: vim - Vim before 9.2.0272 allows code execution that happens immediately upon opening ... Vim before 9.2.0272 allows code execution that happens immediately upon opening a crafted file in the default configuration, because %{expr} injection occurs with tabpanel lacking P_MLE. Scope: local bookworm: resolved bullseye: resolved forky: open sid: resolved (fixed in 2:9.2.0315-1) trixie: resolved

CVE-2026-32249 [MEDIUM] CVE-2026-32249: vim - Vim is an open source, command line text editor. From 9.1.0011 to before 9.2.013... Vim is an open source, command line text editor. From 9.1.0011 to before 9.2.0137, Vim's NFA regex compiler, when encountering a collection containing a combining character as the endpoint of a character range (e.g. [0-0\u05bb]), incorrectly emits the composing bytes of that character as separate NFA states. This corrupts the NFA postfix stack, resulting in NFA_START_

CVE-2025-29768 [MEDIUM] CVE-2025-29768: vim - Vim, a text editor, is vulnerable to potential data loss with zip.vim and specia... Vim, a text editor, is vulnerable to potential data loss with zip.vim and special crafted zip files in versions prior to 9.1.1198. The impact is medium because a user must be made to view such an archive with Vim and then press 'x' on such a strange filename. The issue has been fixed as of Vim patch v9.1.1198. Scope: local bookworm: open bullseye: resolved forky: reso

CVE-2025-53905 [MEDIUM] CVE-2025-53905: vim - Vim is an open source, command line text editor. Prior to version 9.1.1552, a pa... Vim is an open source, command line text editor. Prior to version 9.1.1552, a path traversal issue in Vim’s tar.vim plugin can allow overwriting of arbitrary files when opening specially crafted tar archives. Impact is low because this exploit requires direct user interaction. However, successfully exploitation can lead to overwriting sensitive files or placing execut

CVE-2025-53906 [MEDIUM] CVE-2025-53906: vim - Vim is an open source, command line text editor. Prior to version 9.1.1551, a pa... Vim is an open source, command line text editor. Prior to version 9.1.1551, a path traversal issue in Vim’s zip.vim plugin can allow overwriting of arbitrary files when opening specially crafted zip archives. Impact is low because this exploit requires direct user interaction. However, successfully exploitation can lead to overwriting sensitive files or placing execut

CVE-2025-22134 [MEDIUM] CVE-2025-22134: vim - When switching to other buffers using the :all command and visual mode still bei... When switching to other buffers using the :all command and visual mode still being active, this may cause a heap-buffer overflow, because Vim does not properly end visual mode and therefore may try to access beyond the end of a line in a buffer. In Patch 9.1.1003 Vim will correctly reset the visual mode before opening other windows and buffers and therefore fix this b

CVE-2025-55158 [MEDIUM] CVE-2025-55158: vim - Vim is an open source, command line text editor. In versions from 9.1.1231 to be... Vim is an open source, command line text editor. In versions from 9.1.1231 to before 9.1.1406, when processing nested tuples during Vim9 script import operations, an error during evaluation can trigger a double-free in Vim’s internal typed value (typval_T) management. Specifically, the clear_tv() function may attempt to free memory that has already been deallocated, d

CVE-2025-26603 [MEDIUM] CVE-2025-26603: vim - Vim is a greatly improved version of the good old UNIX editor Vi. Vim allows to ... Vim is a greatly improved version of the good old UNIX editor Vi. Vim allows to redirect screen messages using the `:redir` ex command to register, variables and files. It also allows to show the contents of registers using the `:registers` or `:display` ex command. When redirecting the output of `:display` to a register, Vim will free the register content before stor