CVE-2026-34714

Critical

Published: 30 March 2026

Published

30 March 2026

Modified

03 April 2026

KEV Added

—

Patch

—

CVSS Score 9.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L

EPSS Score 0.0001 2.8th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-34714 is a critical-severity OS Command Injection (CWE-78) vulnerability in Vim Vim. Its CVSS base score is 9.2 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 2.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Client Execution (T1203) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Requires timely remediation of software flaws, directly mitigating the %{expr} injection vulnerability by patching Vim to version 9.2.0272 or later.

RA-5 Vulnerability Monitoring and Scanning good match

detect

Mandates vulnerability monitoring and scanning to identify the presence of vulnerable Vim versions prior to exploitation via crafted files.

CM-10 Software Usage Restrictions partial match

prevent

Enforces software usage restrictions through whitelisting, preventing execution of unpatched vulnerable Vim instances.

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

T1204.002 Malicious File Execution

An adversary may rely upon a user opening a malicious file in order to gain execution.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

The vulnerability enables arbitrary code execution via OS command injection when opening a specially crafted file in the Vim client application, directly mapping to exploitation of client apps for code execution (T1203), user execution of malicious files (T1204.002), and Unix shell command execution (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Vim before 9.2.0272 allows code execution that happens immediately upon opening a crafted file in the default configuration, because %{expr} injection occurs with tabpanel lacking P_MLE.

Deeper analysisAI

CVE-2026-34714 is a high-severity vulnerability (CVSS 3.1 score of 9.2) affecting Vim text editor versions prior to 9.2.0272. It enables arbitrary code execution upon opening a specially crafted file in the default configuration, stemming from a %{expr} injection flaw in the tabpanel feature due to the absence of P_MLE protection. This issue is classified under CWE-78 (OS Command Injection) and was publicly disclosed on March 30, 2026.

The vulnerability can be exploited by a local attacker with low complexity and no privileges required, as it requires no user interaction beyond convincing a victim to open the malicious file (AV:L/AC:L/PR:N/UI:N). Successful exploitation changes scope (S:C) and grants high-impact confidentiality and integrity violations alongside low availability impact (C:H/I:H/A:L), allowing immediate code execution on the victim's system in the context of the Vim process.

Mitigation is addressed in Vim's official patches, including commit 664701eb7576edb7c7c7d9f2d600815ec1f43459 and the release of version 9.2.0272. The GitHub security advisory (GHSA-2gmj-rpqf-pxvh) and oss-security mailing list announcements detail the fix, recommending users upgrade to Vim 9.2.0272 or later to prevent exploitation.

Details

CWE(s): CWE-78

Affected Products

vim

≤ 9.2.0272

CVEs Like This One

CVE-2026-33412Same product: Vim Vim

CVE-2026-34982Same product: Vim Vim

CVE-2026-28417Same product: Vim Vim

CVE-2026-39881Same product: Vim Vim

CVE-2026-28421Same product: Vim Vim

CVE-2026-26269Same product: Vim Vim

CVE-2026-35177Same product: Vim Vim

CVE-2025-27423Same product: Vim Vim

CVE-2026-33874Shared CWE-78

CVE-2025-1215Same product: Vim Vim

References

https://github.com/vim/vim/commit/664701eb7576edb7c7c7d9f2d600815ec1f43459
Patch · cve@mitre.org
https://github.com/vim/vim/releases/tag/v9.2.0272
Release Notes · cve@mitre.org
https://github.com/vim/vim/security/advisories/GHSA-2gmj-rpqf-pxvh
Vendor Advisory · cve@mitre.org
https://www.openwall.com/lists/oss-security/2026/03/30/3
Mailing List, Third Party Advisory · cve@mitre.org
http://www.openwall.com/lists/oss-security/2026/04/02/4
Issue Tracking, Mailing List · af854a3a-2127-422b-91ae-364da2661108
http://www.openwall.com/lists/oss-security/2026/04/02/5
af854a3a-2127-422b-91ae-364da2661108
http://www.openwall.com/lists/oss-security/2026/04/03/6
af854a3a-2127-422b-91ae-364da2661108