CVE-2026-46483 Overview
CVE-2026-46483 is a command injection vulnerability [CWE-78] in the Vim text editor's tar.vim runtime plugin. The flaw exists in the tar#Vimuntar() function within runtime/autoload/tar.vim when decompressing .tgz archives on Unix-like systems. The function builds :!gunzip and :!gzip -d commands using shellescape(tartail) without the {special} flag. This omission allows a crafted archive filename to trigger Vim cmdline-special expansion and execute arbitrary shell commands in the user's context. The issue affects Vim versions prior to 9.2.0479 and was fixed in release 9.2.0479.
Critical Impact
A maliciously named .tgz archive can execute arbitrary shell commands with the privileges of the user running Vim, leading to full local code execution.
Affected Products
- Vim versions prior to 9.2.0479
- runtime/autoload/tar.vim plugin on Unix-like systems
- Any platform where Vim processes .tgz archives through the tar plugin
Discovery Timeline
- 2026-05-15 - CVE-2026-46483 published to NVD
- 2026-05-19 - Last updated in NVD database
Technical Details for CVE-2026-46483
Vulnerability Analysis
The vulnerability resides in Vim's tar.vim runtime plugin, which provides transparent editing of tar archives. When a user opens a .tgz file, the tar#Vimuntar() function invokes external decompression utilities through Vim's :! shell-execution syntax. The function passes the archive filename through shellescape() to neutralize shell metacharacters but omits the {special} argument required when the escaped value is embedded in a :! command.
Without {special}, Vim's cmdline-special characters such as %, #, and ! are not escaped. These tokens undergo Vim expansion before the shell receives the command line. An attacker who controls the archive filename can embed cmdline-special sequences that Vim expands into attacker-chosen content, bypassing the shell-quoting protection entirely.
Root Cause
The root cause is incorrect use of shellescape() when constructing shell commands for :!. The Vim documentation states that the {special} flag must be set to non-zero when the result will be passed to :! so that cmdline-special characters receive a backslash escape. The pre-patch code called shellescape(tartail) instead of shellescape(tartail, 1), leaving expansion-time substitution exploitable.
Attack Vector
Exploitation requires a victim to open a crafted .tgz archive in Vim. The archive filename contains cmdline-special metacharacters that Vim expands when building the :!gunzip or :!gzip -d command. Once expansion occurs, the shell executes attacker-controlled commands under the user's account. User interaction is required, and the attacker must place the file where the victim will open it.
" 2026 Apr 09 by Vim Project: fix bug with dotted filename (#19930)
" 2026 Apr 15 by Vim Project: fix more path traversal issues (#19981)
" 2026 Apr 16 by Vim Project: use g:tar_secure in tar#Extract()
" 2026 May 14 by Vim Project: use correct shellescape() call in Vimuntar()
Source: Vim commit 3fb5e58fbc63 — the patch header documents the corrected shellescape() call in Vimuntar().
Detection Methods for CVE-2026-46483
Indicators of Compromise
- .tgz archive files with unusual filenames containing %, #, or ! characters
- Unexpected child shell processes spawned by vim or gvim when opening archive files
- Shell history entries showing commands triggered by file open operations rather than user input
- Outbound network connections initiated shortly after a user opens a .tgz file in Vim
Detection Strategies
- Monitor process trees where vim or gvim is the parent of sh, bash, gunzip, or gzip invocations with anomalous arguments
- Inspect file write events for .tgz files placed in user-accessible locations such as Downloads, /tmp, or shared directories
- Track Vim plugin and runtime version inventory across endpoints to identify hosts running versions earlier than 9.2.0479
Monitoring Recommendations
- Enable command-line auditing through auditd or equivalent on Linux endpoints to capture full shell command arguments
- Log file open events for archive types associated with editor plugins
- Alert on filename patterns containing cmdline-special characters in user-writable directories
How to Mitigate CVE-2026-46483
Immediate Actions Required
- Upgrade Vim to version 9.2.0479 or later on all Unix-like systems
- Audit endpoint inventory to identify Vim builds shipped by distribution packages that remain at vulnerable versions
- Instruct users to avoid opening untrusted .tgz archives directly in Vim until patches are deployed
Patch Information
The fix is delivered in Vim patch 9.2.0479, which corrects the shellescape() invocation in tar#Vimuntar() to include the {special} flag. Review the Vim Security Advisory GHSA-2fpv-9ff7-xg5w and the GitHub Release v9.2.0479 for source and binary distribution details.
Workarounds
- Disable the bundled tar plugin by adding let g:loaded_tarPlugin = 1 and let g:loaded_tar = 1 to ~/.vimrc
- Decompress .tgz archives outside of Vim using standalone tar and gzip utilities before editing contents
- Restrict file associations so that archive files do not open in Vim by default
# Disable Vim tar plugin until patched version is installed
cat >> ~/.vimrc <<'EOF'
let g:loaded_tarPlugin = 1
let g:loaded_tar = 1
EOF
# Verify installed Vim version meets or exceeds the fixed release
vim --version | head -n 1
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
