CVE-2026-34714
Expression Injection in Vim < 9.2.0272 Enables Code Execution
Publication date: 2026-03-30
Last updated on: 2026-04-03
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| vim | vim | to 9.2.0272 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows arbitrary OS command execution with the victim's user privileges simply by opening a crafted file in Vim. This can lead to unauthorized access, data manipulation, or data leakage.
Such unauthorized code execution and potential data compromise could negatively impact compliance with standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and breaches.
However, the provided information does not explicitly discuss or analyze the direct impact of this vulnerability on compliance with these standards.
Can you explain this vulnerability to me?
This vulnerability affects Vim versions prior to 9.2.0272 and involves the 'tabpanel' option, which lacked the P_MLE flag that enforces secure evaluation of modeline expressions.
Unlike other options such as 'statusline' and 'tabline', 'tabpanel' accepted %{expr} format strings from modelines without requiring the 'modelineexpr' setting to be enabled. This omission bypassed usual security checks, allowing arbitrary expression strings to be accepted from modelines.
Although Vim evaluates these expressions inside a sandbox, the function autocmd_add() did not invoke security checks, enabling sandboxed code to register autocommands that execute after the sandbox has exited.
As a result, an attacker who can deliver a crafted file to a victim can achieve arbitrary OS command execution with the victimβs user privileges simply by the victim opening the file, without any additional user interaction.
How can this vulnerability impact me? :
The vulnerability allows an attacker to execute arbitrary operating system commands with the privileges of the user running Vim.
This can happen simply by the victim opening a specially crafted file in a vulnerable Vim version, requiring no additional user interaction or special privileges.
Such arbitrary code execution can lead to compromise of the user's system, unauthorized data access, modification, or destruction, and potentially further attacks depending on the user's permissions.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by identifying if the Vim version in use is prior to 9.2.0272, as versions before this patch are vulnerable.
Since the vulnerability involves the 'tabpanel' option being set via modelines in files, detection can include checking for files containing modelines that attempt to set 'tabpanel' or contain %{expr} expressions in modelines.
A practical approach is to verify the Vim version installed by running the command:
- vim --version
If the version is older than 9.2.0272, the system is vulnerable.
Additionally, scanning files for suspicious modelines that set 'tabpanel' can be done using grep or similar tools, for example:
- grep -r --include='*' 'tabpanel' .
- grep -r --include='*' '%{.*}' .
These commands search recursively for occurrences of 'tabpanel' or expression injections in files that might trigger the vulnerability when opened in Vim.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade Vim to version 9.2.0272 or later, where the vulnerability has been fixed by adding the P_MLE flag to the 'tabpanel' option and restricting autocommand functions in secure or restricted modes.
If upgrading immediately is not possible, consider disabling modelines or the 'tabpanel' feature in Vim to reduce the attack surface.
- Disable modelines by adding 'set nomodeline' in your vimrc configuration file.
- Avoid opening untrusted or suspicious files in Vim until the patch is applied.
These steps help prevent exploitation by blocking the ability to set 'tabpanel' via modelines and reduce the risk of arbitrary code execution.