CVE-2026-59858

Vim · Vim

A code injection vulnerability in Vim allows local attackers to execute arbitrary code via malicious input, potentially resulting in full system compromise.

Executive summary

Vim versions prior to 9.2.0735 are vulnerable to a code injection flaw that could allow a local attacker to execute arbitrary commands with the privileges of the user running the application.

Vulnerability

This vulnerability is identified as CWE-94: Improper Control of Generation of Code. The flaw allows an attacker to inject and execute arbitrary code, requiring user interaction (typically opening a malicious file) to trigger the exploit.

Business impact

The vulnerability carries a CVSS score of 8.4, which is categorized as High. A successful exploit could lead to full loss of confidentiality, integrity, and availability for the local user session. In environments where Vim is used by administrative or automated service accounts, this could facilitate privilege escalation or lateral movement within the host system.

Remediation

Immediate Action: Update the Vim installation to version 9.2.0735 or later immediately to resolve the injection flaw.

Proactive Monitoring: Audit command-line history and system logs for unexpected child processes or unusual shell invocations triggered by the Vim editor.

Compensating Controls: Implement strict file access controls and ensure that untrusted files are opened in restricted modes (e.g., vim -Z or rvim) where applicable.

Exploitation status

Public Exploit Available: false

Analyst recommendation

The severity of this code injection vulnerability necessitates prompt action. Organizations should prioritize patching all systems running Vim to the specified secure version to prevent unauthorized command execution.