Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
Vim Update Needed to Fix Security Flaws in Command Line Editor
OESA-2026-1565
Summary
Vim users need to update to version 9.2.0073 or later to fix security issues that could allow hackers to run malicious commands or read sensitive information. If not updated, users may be vulnerable to attacks that exploit these flaws. Update to the latest version of Vim to ensure your text editing experience is secure.
What to do
- Update vim to version 9.0.2092-26.oe2403sp2.
- Update vim to version 9.0.2092-26.oe2403sp3.
- Update vim to version 9.0-40.oe2003sp4.
- Update vim to version 9.0-40.oe2203sp4.
- Update vim to version 9.0.2092-26.oe2403sp1.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | vim | <= 9.0.2092-26.oe2403sp2 | 9.0.2092-26.oe2403sp2 |
| – | vim | <= 9.0.2092-26.oe2403sp3 | 9.0.2092-26.oe2403sp3 |
| – | vim | <= 9.0-40.oe2003sp4 | 9.0-40.oe2003sp4 |
| – | vim | <= 9.0-40.oe2203sp4 | 9.0-40.oe2203sp4 |
| – | vim | <= 9.0.2092-26.oe2403sp1 | 9.0.2092-26.oe2403sp1 |
| – | vim | <= 9.0.2092-26.oe2403sp1 | 9.0.2092-26.oe2403sp1 |
Original title
vim security update
Original description
Vim is an advanced text editor that seeks to provide the power of the de-facto Unix editor &apos;Vi&apos;, with a more complete feature set. Vim is a highly configurable text editor built to enable efficient text editing. It is an improved version of the vi editor distributed with most UNIX systems.
Security Fix(es):
Vim is an open source, command line text editor. Prior to version 9.2.0073, an OS command injection vulnerability exists in the netrw standard plugin bundled with Vim. By inducing a user to open a crafted URL (e.g., using the scp:// protocol handler), an attacker can execute arbitrary shell commands with the privileges of the Vim process. Version 9.2.0073 fixes the issue.(CVE-2026-28417)
Vim is an open source, command line text editor. Prior to version 9.2.0074, a heap-based buffer overflow out-of-bounds read exists in Vim's Emacs-style tags file parsing logic. When processing a malformed tags file, Vim can be tricked into reading up to 7 bytes beyond the allocated memory boundary. Version 9.2.0074 fixes the issue.(CVE-2026-28418)
Vim is an open source, command line text editor. Prior to version 9.2.0075, a heap-based buffer underflow exists in Vim's Emacs-style tags file parsing logic. When processing a malformed tags file where a delimiter appears at the start of a line, Vim attempts to read memory immediately preceding the allocated buffer. Version 9.2.0075 fixes the issue.(CVE-2026-28419)
Vim is an open source, command line text editor. Prior to version 9.2.0076, a heap-based buffer overflow WRITE and an out-of-bounds READ exist in Vim's terminal emulator when processing maximum combining characters from Unicode supplementary planes. Version 9.2.0076 fixes the issue.(CVE-2026-28420)
Vim is an open source, command line text editor. Versions prior to 9.2.0077 have a heap-buffer-overflow and a segmentation fault (SEGV) exist in Vim's swap file recovery logic. Both are caused by unvalidated fields read from crafted pointer blocks within a swap file. Version 9.2.0077 fixes the issue.(CVE-2026-28421)
Vim is an open-source, command-line text editor. Prior to version 9.2.0078, a stack-buffer-overflow occurs in the `build_stl_str_hl()` function when rendering a statusline with a multi-byte fill character on a very wide terminal. This vulnerability may lead to application crash or potential security risks.(CVE-2026-28422)
Security Fix(es):
Vim is an open source, command line text editor. Prior to version 9.2.0073, an OS command injection vulnerability exists in the netrw standard plugin bundled with Vim. By inducing a user to open a crafted URL (e.g., using the scp:// protocol handler), an attacker can execute arbitrary shell commands with the privileges of the Vim process. Version 9.2.0073 fixes the issue.(CVE-2026-28417)
Vim is an open source, command line text editor. Prior to version 9.2.0074, a heap-based buffer overflow out-of-bounds read exists in Vim's Emacs-style tags file parsing logic. When processing a malformed tags file, Vim can be tricked into reading up to 7 bytes beyond the allocated memory boundary. Version 9.2.0074 fixes the issue.(CVE-2026-28418)
Vim is an open source, command line text editor. Prior to version 9.2.0075, a heap-based buffer underflow exists in Vim's Emacs-style tags file parsing logic. When processing a malformed tags file where a delimiter appears at the start of a line, Vim attempts to read memory immediately preceding the allocated buffer. Version 9.2.0075 fixes the issue.(CVE-2026-28419)
Vim is an open source, command line text editor. Prior to version 9.2.0076, a heap-based buffer overflow WRITE and an out-of-bounds READ exist in Vim's terminal emulator when processing maximum combining characters from Unicode supplementary planes. Version 9.2.0076 fixes the issue.(CVE-2026-28420)
Vim is an open source, command line text editor. Versions prior to 9.2.0077 have a heap-buffer-overflow and a segmentation fault (SEGV) exist in Vim's swap file recovery logic. Both are caused by unvalidated fields read from crafted pointer blocks within a swap file. Version 9.2.0077 fixes the issue.(CVE-2026-28421)
Vim is an open-source, command-line text editor. Prior to version 9.2.0078, a stack-buffer-overflow occurs in the `build_stl_str_hl()` function when rendering a statusline with a multi-byte fill character on a very wide terminal. This vulnerability may lead to application crash or potential security risks.(CVE-2026-28422)
- https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA... Vendor Advisory
- https://nvd.nist.gov/vuln/detail/CVE-2026-28417 Vendor Advisory
- https://nvd.nist.gov/vuln/detail/CVE-2026-28418 Vendor Advisory
- https://nvd.nist.gov/vuln/detail/CVE-2026-28419 Vendor Advisory
- https://nvd.nist.gov/vuln/detail/CVE-2026-28420 Vendor Advisory
- https://nvd.nist.gov/vuln/detail/CVE-2026-28421 Vendor Advisory
- https://nvd.nist.gov/vuln/detail/CVE-2026-28422 Vendor Advisory
Published: 15 Mar 2026 · Updated: 15 Mar 2026 · First seen: 15 Mar 2026