CVE-2026-34982
Published: 06 April 2026
Summary
CVE-2026-34982 is a high-severity OS Command Injection (CWE-78) vulnerability in Vim Vim. Its CVSS base score is 8.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 10.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the modeline sandbox bypass by requiring timely patching of Vim to version 9.2.0276 or later.
Enforces secure configuration settings for Vim, such as disabling modelines with 'nomodeline', to prevent processing of malicious modeline commands.
Restricts Vim to least functionality by prohibiting or disabling unnecessary features like modeline execution or sandboxed expressions vulnerable to bypass.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability allows arbitrary OS command execution via crafted file opened by user, directly enabling malicious file user execution and command/scripting interpreter abuse.
NVD Description
Vim is an open source, command line text editor. Prior to version 9.2.0276, a modeline sandbox bypass in Vim allows arbitrary OS command execution when a user opens a crafted file. The `complete`, `guitabtooltip` and `printheader` options are missing the…
more
`P_MLE` flag, allowing a modeline to be executed. Additionally, the `mapset()` function lacks a `check_secure()` call, allowing it to be abused from sandboxed expressions. Commit 9.2.0276 fixes the issue.
Deeper analysisAI
CVE-2026-34982 is a modeline sandbox bypass vulnerability in Vim, an open source command line text editor. Versions prior to 9.2.0276 are affected, allowing arbitrary OS command execution when a user opens a crafted file. The vulnerability stems from the `complete`, `guitabtooltip`, and `printheader` options missing the `P_MLE` flag, which permits modeline execution, and the `mapset()` function lacking a `check_secure()` call, enabling abuse from sandboxed expressions. It is classified under CWE-78 (OS Command Injection) with a CVSS v3.1 base score of 8.2 (AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N) and was published on 2026-04-06.
The attack requires an attacker to deliver a specially crafted file to a victim, who must then open it using a vulnerable Vim instance. Exploitation demands local access vector, low attack complexity, no privileges, and user interaction, but achieves changed scope with high impacts to confidentiality and integrity. Successful exploitation grants the attacker arbitrary operating system command execution in the context of the Vim process.
Mitigation is provided by updating to Vim version 9.2.0276 or later, which includes the fixing commit 75661a66a1db1e1f3f1245c615. Further details on the patch and vulnerability are documented in the GitHub security advisory GHSA-8h6p-m6gr-mpw9, the release notes for v9.2.0276, and the oss-security mailing list announcement from 2026-04-01.
Details
- CWE(s)