oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [vim-security] Vim modeline bypass via various options affects Vim < 9.2.0276

From: Salvatore Bonaccorso <carnil () debian org>
Date: Wed, 1 Apr 2026 09:21:35 +0200
Hi,

On Tue, Mar 31, 2026 at 08:37:06PM +0200, Christian Brabandt wrote:

Vim modeline bypass via various options affects Vim < 9.2.0276
==============================================================
Date: 31.03.2026
Severity: High
CVE: *not yet assigned*
CWE: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)

## Summary
A modeline sandbox bypass in Vim allows arbitrary OS command execution 
when a user opens a crafted file. The `complete`, `guitabtooltip` and 
`printheader` options are missing the `P_MLE` flag, allowing a modeline 
to be executed. Additionally, the `mapset()` function lacks a 
`check_secure()` call, allowing it to be abused from sandboxed 
expressions.

## Description
The `complete` option (`src/optiondefs.h:684`) accepts `F{func}` syntax 
to register completion callbacks (added in patch 9.1.1178), similar to 
how `completefunc` works. However, unlike `completefunc` which has 
`P_SECURE`, `complete` has neither `P_SECURE` nor `P_MLE`, so the 
modeline security check at `src/option.c:1565-1571` is bypassed and 
arbitrary lambda expressions are accepted from modelines.

Similar effects can be achieved by setting the `guitabtooltip` and
`printheader` options via a modeline and abusing the `mapset()` function 
to execute arbitrary code on random key mappings.

## Impact
An attacker who can deliver a crafted file to a victim achieves 
arbitrary command execution with the privileges of the user running Vim.

## Acknowledgements
The Vim project would like to thank "dfwjj x" and "Avishay Matayev" for 
identifying the vulnerability chain, providing a detailed root cause 
analysis and reproduction steps

## References
The issue has been fixed as of Vim patch 
[v9.2.0276](https://github.com/vim/vim/releases/tag/v9.2.0276)

- [Commit](https://github.com/vim/vim/commit/75661a66a1db1e1f3f1245c615f13a7)
- [GitHub Advisory](https://github.com/vim/vim/security/advisories/GHSA-8h6p-m6gr-mpw9)


CVE-2026-34982  is now assigned for this issue according to the GHSA,
so following up with that information here.

Regards,
Salvatore
Previous By Date Next
Previous By Thread Next

Current thread: