CVE-2026-33412 Overview
CVE-2026-33412 is a command injection vulnerability in Vim, the open source command line text editor, affecting versions prior to 9.2.0202 on Unix-like systems. The flaw resides in Vim's glob() function, which fails to properly sanitize newline characters (\n) within pattern arguments. An attacker who can influence a pattern passed to glob() may execute arbitrary shell commands under the privileges of the Vim user. Successful exploitation depends on the user's configured shell setting. The maintainers patched the issue in version 9.2.0202.
Critical Impact
Arbitrary shell command execution through crafted glob patterns containing newline characters, leading to full compromise of confidentiality, integrity, and availability under the affected user context.
Affected Products
- Vim versions prior to 9.2.0202
- Unix-like operating systems where Vim invokes a shell to resolve glob patterns
- Scripts, plugins, and modelines that pass attacker-influenced input to glob()
Discovery Timeline
- 2026-03-19 - Issue discussed publicly on the OpenWall oss-security mailing list
- 2026-03-24 - CVE-2026-33412 published to NVD
- 2026-03-25 - Last updated in NVD database
Technical Details for CVE-2026-33412
Vulnerability Analysis
The vulnerability is classified as a Command Injection issue under [CWE-78] (Improper Neutralization of Special Elements used in an OS Command). Vim's glob() function expands file path patterns by delegating to a shell on Unix-like systems. When the supplied pattern contains a newline character, the shell interprets the content after the newline as a separate command. Because glob() is frequently called by plugins, autocommands, and user scripts with values derived from filenames, buffer contents, or external sources, the function becomes a viable injection sink. Exploitation requires local interaction, such as opening a crafted file or running a script that invokes glob() against untrusted data.
Root Cause
The root cause is missing neutralization of shell metacharacters, specifically the newline byte, before passing pattern arguments to the underlying shell invocation. Vim relied on the user's shell option to expand globs without escaping line terminators, so any pattern containing \n produced a shell command boundary that the interpreter then executed.
Attack Vector
An attacker crafts content that causes glob() to receive a pattern such as legit_path\ncommand_to_run. When Vim, a plugin, or a modeline calls glob() on that value, the shell splits the input on the newline and executes the appended command. Delivery paths include malicious filenames in an archive, hostile project directories opened in Vim, plugin behaviors that pass buffer text to glob(), or scripted environments where untrusted input flows into pattern arguments. Exploitation runs with the privileges of the Vim process and is constrained to interpreters honored by the user's shell setting.
No verified public proof-of-concept code is included in the advisory. See the GitHub Security Advisory GHSA-w5jw-f54h-x46c and the upstream fix commit for technical details on the corrected sanitization logic.
Detection Methods for CVE-2026-33412
Indicators of Compromise
- Vim child processes spawning shells (sh, bash, zsh) that execute unexpected commands such as curl, wget, nc, or base64-encoded payloads.
- Filenames or buffer content containing embedded newline bytes adjacent to shell metacharacters.
- Unexpected outbound network connections initiated from a Vim process tree shortly after a file is opened.
Detection Strategies
- Inventory installed Vim binaries and flag any version earlier than 9.2.0202 on Unix-like hosts.
- Hunt for process lineage where vim or gvim is the parent of shell processes executing arguments not tied to expected editor workflows.
- Inspect plugin and script repositories for calls to glob() that consume untrusted input without prior sanitization.
Monitoring Recommendations
- Enable command-line auditing (for example, auditd with execve rules) on developer and administrator workstations.
- Alert on Vim spawning interpreters that subsequently invoke networking or persistence tooling.
- Review historical shell history and audit logs for anomalous commands executed in user sessions immediately after editor activity.
How to Mitigate CVE-2026-33412
Immediate Actions Required
- Upgrade Vim to version 9.2.0202 or later on all Unix-like systems.
- Audit shared plugins, build scripts, and CI runners that invoke glob() against attacker-influenced data.
- Treat files received from untrusted sources, including archives and shared repositories, as potentially malicious until the patched version is deployed.
Patch Information
The fix is delivered in Vim 9.2.0202 and tracked in the upstream commit 645ed6597d1ea896c712cd7ddbb6edee79577e9a. Reference the Vim 9.2.0202 release notes, the upstream commit, and the GHSA-w5jw-f54h-x46c advisory for distribution-specific package updates.
Workarounds
- Avoid invoking glob() on data sourced from untrusted files, buffers, or environment variables until patched.
- Set the shell option to an interpreter with reduced functionality, or disable plugins that pass external content into glob().
- Disable modelines (set nomodeline) to reduce the risk of attacker-controlled configuration influencing glob expansion.
# Configuration example
# Verify installed Vim version
vim --version | head -n 1
# Debian/Ubuntu: upgrade Vim packages
sudo apt update && sudo apt install --only-upgrade vim vim-common vim-runtime
# RHEL/Fedora: upgrade Vim packages
sudo dnf upgrade vim-enhanced vim-common
# Defensive hardening in ~/.vimrc until patched
set nomodeline
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
