[vim-security]: Command injection via newline in glob() affects Vim < 9.2.0202

[Christian Brabandt <cb () 256bit org>]

Command injection via newline in glob() affects Vim < 9.2.0202
==============================================================

Date: 19.03.2026
Severity: Medium
CVE: CVE-2026-33412
CWE: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)

## Summary

A command injection vulnerability exists in Vim's `glob()` function on
Unix-like systems. By including a newline character (`\n`) in a pattern 
passed to `glob()`, an attacker may be able to execute arbitrary shell 
commands. This vulnerability depends on the user's 'shell' setting.

## Description

Vim's `glob()` function and other features performing wildcard expansion 
eventually call `mch_expand_wildcards()` on Unix-based systems. This 
function constructs a command string to be executed by the system shell 
to perform the expansion.

Because the newline character (`\n`) was missing from the 
`SHELL_SPECIAL` list of characters to be escaped, it was passed to the 
shell unquoted. The success and behavior of this exploit depend on the 
user's 'shell' setting. 

## Impact

This vulnerability poses a significant risk if a Vimscript plugin
passes untrusted user input into the `glob()` functions. An attacker can 
achieve arbitrary code execution with the privileges of the user running 
Vim. 


## Acknowledgements

The Vim project would like to thank pyllyukko for identifying the 
vulnerability and providing a detailed analysis of the call chain and a 
reproducible example.

## References

The issue has been fixed as of Vim patch v9.2.0202

- [Commit](https://github.com/vim/vim/commit/645ed6597d1ea896c712cd7dd)
- [GitHub Advisory](https://github.com/vim/vim/security/advisories/GHSA-w5jw-f54h-x46c)

Thanks,
Christian
-- 
Ist der Virus erst entdeckt, ist die Platte schon verreckt.