CVE-2026-34982 Overview
CVE-2026-34982 is a command injection vulnerability in Vim, the popular open source command line text editor. Prior to version 9.2.0276, a modeline sandbox bypass allows arbitrary OS command execution when a user opens a specially crafted file. The vulnerability stems from multiple security-related options (complete, guitabtooltip, and printheader) missing the P_MLE (modeline) flag, combined with the mapset() function lacking a check_secure() call. This allows attackers to bypass sandbox restrictions and execute arbitrary commands through malicious modelines embedded in text files.
Critical Impact
Opening a malicious file in Vim could result in arbitrary OS command execution with the privileges of the current user, potentially leading to complete system compromise.
Affected Products
- Vim versions prior to 9.2.0276
Discovery Timeline
- April 6, 2026 - CVE-2026-34982 published to NVD
- April 7, 2026 - Last updated in NVD database
Technical Details for CVE-2026-34982
Vulnerability Analysis
This vulnerability is classified as CWE-78 (Improper Neutralization of Special Elements used in an OS Command - Command Injection). The security flaw exists in Vim's modeline feature, which allows files to contain embedded configuration directives that are automatically processed when the file is opened.
Vim implements a sandbox mechanism to restrict dangerous operations when processing modelines. However, three options—complete, guitabtooltip, and printheader—were missing the P_MLE (modeline) flag that would prevent them from being set via modelines. Additionally, the mapset() function, which is used to set keyboard mappings, lacked a check_secure() call that would block its execution from sandboxed contexts.
An attacker can craft a malicious file with embedded modeline commands that exploit these oversights to execute arbitrary operating system commands when a victim opens the file in Vim.
Root Cause
The root cause is twofold: First, the option definitions in src/optiondefs.h for complete, guitabtooltip, and printheader were missing the P_MLE flag, which should restrict options that can be set via modelines. Second, the mapset() function in src/map.c did not include a check_secure() call to verify it was not being called from a sandboxed context.
Attack Vector
The attack requires local access where a victim must open a maliciously crafted file using Vim. The attacker embeds specially crafted modeline directives in the file that exploit the missing security checks. When the victim opens the file, Vim processes the modelines, bypasses the sandbox, and executes arbitrary OS commands with the user's privileges.
The following patch in src/map.c adds the missing security check to the mapset() function:
int dict_only;
mapblock_T *mp_result[2] = {NULL, NULL};
+ if (check_secure())
+ return;
+
// If first arg is a dict, then that's the only arg permitted.
dict_only = argvars[0].v_type == VAR_DICT;
if (in_vim9script()
Source: GitHub Commit Details
The following patch in src/optiondefs.h adds the P_MLE flag to the complete option:
{"compatible", "cp", P_BOOL|P_RALL,
(char_u *)&p_cp, PV_NONE, did_set_compatible, NULL,
{(char_u *)TRUE, (char_u *)FALSE} SCTX_INIT},
- {"complete", "cpt", P_STRING|P_ALLOCED|P_VI_DEF|P_ONECOMMA|P_NODUP,
+ {"complete", "cpt", P_STRING|P_ALLOCED|P_VI_DEF|P_ONECOMMA|P_NODUP|P_MLE,
(char_u *)&p_cpt, PV_CPT, did_set_complete, expand_set_complete,
{(char_u *)".,w,b,u,t,i", (char_u *)0L}
SCTX_INIT},
Source: GitHub Commit Details
Detection Methods for CVE-2026-34982
Indicators of Compromise
- Files containing suspicious modeline directives that reference complete, guitabtooltip, printheader, or mapset()
- Unexpected child processes spawned by Vim processes
- Vim process executing shell commands or accessing unusual system resources
- Log entries showing Vim accessing network resources or executing binaries
Detection Strategies
- Monitor for Vim processes spawning unexpected child processes, especially shells or system utilities
- Implement file integrity monitoring on systems where Vim is commonly used to detect malicious file placement
- Use endpoint detection to identify command execution patterns associated with text editor exploitation
- Analyze opened files for embedded modeline syntax attempting to set restricted options
Monitoring Recommendations
- Configure security monitoring to alert on Vim spawning shell processes or making network connections
- Implement behavioral analysis for text editor processes executing system commands
- Monitor user home directories and common file locations for files containing suspicious modeline patterns
- Enable Vim logging where possible to track option changes during file opening
How to Mitigate CVE-2026-34982
Immediate Actions Required
- Upgrade Vim to version 9.2.0276 or later immediately
- Disable modelines in Vim by adding set nomodeline to your vimrc configuration
- Review recently opened files for potential malicious modeline content
- Audit systems for any signs of compromise if untrusted files have been opened in Vim
Patch Information
The vulnerability has been fixed in Vim version 9.2.0276. The fix adds the P_MLE flag to the complete, guitabtooltip, and printheader options in src/optiondefs.h and implements the check_secure() call in the mapset() function in src/map.c. Users should upgrade to version 9.2.0276 or later. See the GitHub Security Advisory GHSA-8h6p-m6gr-mpw9 for additional details.
Workarounds
- Disable modelines by adding set nomodeline to your .vimrc or vimrc configuration file
- Set modelines=0 in your Vim configuration to prevent processing of any modeline directives
- Avoid opening untrusted files in Vim until the patch is applied
- Use the secure option to enable additional sandbox restrictions when necessary
# Configuration example - Add to ~/.vimrc to disable modelines
echo 'set nomodeline' >> ~/.vimrc
echo 'set modelines=0' >> ~/.vimrc
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
