Vim is an open source, command line text editor. Prior to version 9.2.0276, a modeline sandbox bypass in Vim allows arbitrary OS command execution when a user opens a crafted file. The `complete`, `guitabtooltip` and `printheader` options are missing the `P_MLE` flag, allowing a modeline to be executed. Additionally, the `mapset()` function lacks a `check_secure()` call, allowing it to be abused from sandboxed expressions. Commit 9.2.0276 fixes the issue.
| Version | Base score | Base severity | Vector |
|---|---|---|---|
| 3.1 | 8.2 | HIGH | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N |
| CAPEC ID | Description |
|---|
| Event | Date |
|---|
| Hyperlink | Resource |
|---|---|
| https://github.com/vim/vim/security/advisories/GHSA-8h6p-m6gr-mpw9 | x_refsource_CONFIRM |
| https://github.com/vim/vim/commit/75661a66a1db1e1f3f1245c615 | x_refsource_MISC |
| https://github.com/vim/vim/releases/tag/v9.2.0276 | x_refsource_MISC |
| Version | Base score | Base severity | Vector |
|---|
| CAPEC ID | Description |
|---|
| Event | Date |
|---|
| Hyperlink | Resource |
|---|---|
| http://www.openwall.com/lists/oss-security/2026/04/01/1 | N/A |
| Version | Base score | Base severity | Vector |
|---|
| CAPEC ID | Description |
|---|
| Event | Date |
|---|
| Hyperlink | Resource |
|---|
A flaw was found in Vim. A modeline is used to set specific editor options directly from a text file. However, the `complete`, `guitabtooltip`, `printheader` options and the `mapset` function lack proper security checks, allowing an attacker to bypass restrictions and cause arbitrary OS command execution.
| Version | Base score | Base severity | Vector |
|---|---|---|---|
| 3.1 | 8.2 | HIGH | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N |
| CAPEC ID | Description |
|---|
RHSA-2026:30900: Red Hat Enterprise Linux AppStream EUS (v. 10.0), Red Hat Enterprise Linux BaseOS EUS (v. 10.0)
RHSA-2026:11389: Red Hat Enterprise Linux AppStream (v. 10), Red Hat Enterprise Linux BaseOS (v. 10)
RHSA-2026:19073: Red Hat Enterprise Linux AppStream (v. 10), Red Hat Enterprise Linux BaseOS (v. 10)
RHSA-2026:11509: Red Hat Enterprise Linux AppStream (v. 8), Red Hat Enterprise Linux BaseOS (v. 8)
RHSA-2026:33453: Red Hat Enterprise Linux AppStream AUS (v.8.4), Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.4), Red Hat Enterprise Linux BaseOS AUS (v.8.4), Red Hat Enterprise Linux BaseOS EUS EXTENSION (v.8.4)
RHSA-2026:34477: Red Hat Enterprise Linux AppStream AUS (v.8.6), Red Hat Enterprise Linux AppStream EUS EXTENSION (v.8.6), Red Hat Enterprise Linux BaseOS AUS (v.8.6), Red Hat Enterprise Linux BaseOS EUS EXTENSION (v.8.6)
RHSA-2026:34476: Red Hat Enterprise Linux AppStream E4S (v.8.8), Red Hat Enterprise Linux AppStream TUS (v.8.8), Red Hat Enterprise Linux BaseOS E4S (v.8.8), Red Hat Enterprise Linux BaseOS TUS (v.8.8)
RHSA-2026:28133: Red Hat Enterprise Linux AppStream E4S (v.9.2), Red Hat Enterprise Linux BaseOS E4S (v.9.2)
RHSA-2026:28049: Red Hat Enterprise Linux AppStream E4S (v.9.4), Red Hat Enterprise Linux BaseOS E4S (v.9.4)
RHSA-2026:28050: Red Hat Enterprise Linux AppStream EUS (v.9.6), Red Hat Enterprise Linux BaseOS EUS (v.9.6)
RHSA-2026:11510: Red Hat Enterprise Linux AppStream (v. 9), Red Hat Enterprise Linux BaseOS (v. 9)
RHSA-2026:19224: Red Hat Enterprise Linux AppStream (v. 9), Red Hat Enterprise Linux BaseOS (v. 9)
RHSA-2026:30078: Red Hat AI Inference Server 3.3
RHSA-2026:30089: Red Hat AI Inference Server 3.3
RHSA-2026:30088: Red Hat AI Inference Server 3.3
RHSA-2026:30087: Red Hat AI Inference Server 3.3
RHSA-2026:22634: Red Hat Insights proxy 1.5
RHSA-2026:21275: Red Hat Update Infrastructure 5
To mitigate this issue, disable the modeline support by adding the following command to the Vim configuration file: ~~~ set nomodeline ~~~
| Event | Date |
|---|---|
| Reported to Red Hat. | 2026-04-06 16:02:10 |
| Made public. | 2026-04-06 15:16:48 |