Executive Summary

CVE-2026-35177 is a path traversal vulnerability in the zip.vim plugin of Vim versions prior to 9.2.0280. It allows an attacker to overwrite arbitrary files on the filesystem by opening specially crafted zip archives within Vim.

The vulnerability bypasses a previous fix by using a dummy directory prefix before the traversal sequence, causing Vim's path checks to fail while still escaping the intended directory after path normalization.

Exploitation requires the user to open a malicious zip archive in Vim, select and edit a malicious file inside it, and then save the file using the ":w" command, which causes Vim to overwrite files outside the intended directory.

Vim displays the full path of the file being written, which may alert cautious users. Standard zip utilities usually do not extract such paths and will warn or skip them, so this issue is specific to Vim's internal handling.

Useful 0 Not Useful 0

Impact Analysis

Successful exploitation can lead to overwriting sensitive files or placing executable code in privileged locations, depending on the permissions of the Vim process.

The impact is considered low because exploitation requires direct user interaction and deliberate editing of malicious files.

The vulnerability has a CVSS v3.1 base score of 4.1, indicating moderate severity, with low integrity and availability impacts and no confidentiality impact.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if your Vim installation is a version prior to 9.2.0280, as those versions contain the vulnerable zip.vim plugin.

Detection of active exploitation attempts involves monitoring for users opening specially crafted zip archives in Vim and then saving files with path traversal sequences.

Since exploitation requires user interaction within Vim, you can look for Vim processes editing files from zip archives with suspicious paths containing traversal patterns like "a/../../".

Suggested commands to check Vim version and look for suspicious activity include:

• Check Vim version: `vim --version` (ensure it is 9.2.0280 or later)
• Search for recent Vim processes: `ps aux | grep vim`
• Monitor file writes by Vim to sensitive locations, for example using auditd or inotify tools to watch for unexpected file overwrites.
• Review Vim swap or backup files for suspicious paths or contents.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to upgrade Vim to version 9.2.0280 or later, where this vulnerability is fixed.

Until the upgrade is applied, avoid opening zip archives in Vim, especially those from untrusted sources.

Educate users about the risk of opening and editing files inside zip archives with Vim, as exploitation requires deliberate user interaction.

Consider restricting write permissions on sensitive files and directories to limit the impact of any potential exploitation.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows an attacker to overwrite arbitrary files on the filesystem by opening specially crafted zip archives within Vim, potentially leading to modification of sensitive files or placing executable code in privileged locations.

Because exploitation requires direct user interaction and deliberate editing of malicious files, the risk is considered low to moderate.

However, if exploited, the integrity of sensitive data could be compromised, which may impact compliance with standards like GDPR or HIPAA that require protection of data integrity and prevention of unauthorized modification.

No direct confidentiality impact is noted, but the ability to overwrite files could indirectly affect compliance by enabling unauthorized changes to protected data or system files.

Useful 0 Not Useful 0