CVE-2026-39881
Published: 08 April 2026
Summary
CVE-2026-39881 is a medium-severity Code Injection (CWE-94) vulnerability in Vim Vim. Its CVSS base score is 5.0 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 9.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-11 (User-installed Software).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely identification, reporting, and patching of the command injection flaw in Vim's netbeans interface to version 9.2.0316 or later, directly eliminating the vulnerability.
Enforces least functionality by disabling or restricting the netbeans interface in Vim when not required, reducing the attack surface for malicious server connections.
Controls and approves user-installed software like vulnerable Vim versions, ensuring only patched instances are deployed to prevent exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection in Vim's netbeans protocol allows malicious server to execute arbitrary Ex commands (including shell invocation) upon client connection, directly enabling client-side exploitation and Unix shell command execution.
NVD Description
Vim is an open source, command line text editor. Prior to 9.2.0316, a command injection vulnerability in Vim's netbeans interface allows a malicious netbeans server to execute arbitrary Ex commands when Vim connects to it, via unsanitized strings in the…
more
defineAnnoType and specialKeys protocol messages. This vulnerability is fixed in 9.2.0316.
Deeper analysisAI
CVE-2026-39881 is a command injection vulnerability (CWE-94) in the netbeans interface of Vim, an open source command-line text editor. Versions of Vim prior to 9.2.0316 are affected, where unsanitized strings in the defineAnnoType and specialKeys protocol messages allow a malicious netbeans server to execute arbitrary Ex commands when a vulnerable Vim instance connects to it. The vulnerability carries a CVSS v3.1 base score of 5.0 (AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:H/A:N), indicating medium severity with high integrity impact potential.
Exploitation requires a local attacker with low privileges to control a malicious netbeans server and trick a user into connecting Vim to it, involving user interaction and high attack complexity. Upon successful connection, the attacker can execute arbitrary Ex commands within the victim's Vim session, potentially leading to low confidentiality impact and high integrity impact, such as modifying files or executing further commands depending on the Ex commands injected.
The vulnerability is fixed in Vim version 9.2.0316, as detailed in the project's GitHub security advisory (GHSA-mr87-rhgv-7pw6), release notes, and the patching commit. Security practitioners should advise users to update to 9.2.0316 or later and avoid connecting to untrusted netbeans servers.
Details
- CWE(s)