oss-sec mailing list archives

Re: [vim-security] Vim tabpanel modeline escape affects Vim < 9.2.0272

From: Christian Brabandt <cb () 256bit org>
Date: Tue, 31 Mar 2026 17:57:55 +0200


On Mo, 30 Mär 2026, Demi Marie Obenour wrote:

On 3/30/26 05:06, Christian Brabandt wrote:

## Impact
An attacker who can deliver a crafted file to a victim achieves 
arbitrary command execution with the privileges of the user running Vim. 
The attack requires only that the victim opens the file; no further 
interaction is needed. `modeline` is enabled by default and 
`modelineexpr` does not need to be enabled. Vim builds with `+tabpanel` 
(FEAT_HUGE, the default) are affected.


Should `modeline` be disabled by default in future releases?
It's a huge attack surface.


Indeed, it is probably time to disable this by default: 
https://github.com/vim/vim/pull/19875

Thanks,
Christian
-- 
Zwei Schneeflocken begegnen sich auf ihrem Weg zur Erde.
Die eine:
"Wohin?"
"Nach Bayern - Wintersport. Und du?"
"Nach Norddeutschland - Verkehrschaos."

Current thread:

[vim-security] Vim tabpanel modeline escape affects Vim < 9.2.0272 Christian Brabandt (Mar 30)
- Re: [vim-security] Vim tabpanel modeline escape affects Vim < 9.2.0272 Demi Marie Obenour (Mar 30)
  - Re: [vim-security] Vim tabpanel modeline escape affects Vim < 9.2.0272 Christian Brabandt (Mar 31)
    - Re: [vim-security] Vim tabpanel modeline escape affects Vim < 9.2.0272 David A. Wheeler (Mar 31)
  - Re: [vim-security] Vim tabpanel modeline escape affects Vim < 9.2.0272 Tianyu Chen (Mar 31)