Vim is an open source, command line text editor. Prior to 9.1.2148, a stack buffer overflow vulnerability exists in Vim's NetBeans integration when processing the specialKeys command, affecting Vim builds that enable and use the NetBeans feature. The Stack buffer overflow exists in special_keys() (in src/netbeans.c). The while (*tok) loop writes two bytes per iteration into a 64-byte stack buffer (keybuf) with no bounds check. A malicious NetBeans server can overflow keybuf with a single specialKeys command. The issue has been fixed as of Vim patch v9.1.2148.

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1584 advisory.

    When switching to other buffers using the :all command and visual mode still being active, this may cause     a heap-buffer overflow, because Vim does not properly end visual mode and therefore may try to access     beyond the end of a line in a buffer. In Patch 9.1.1003 Vim will correctly reset the visual mode before     opening other windows and buffers and therefore fix this bug. In addition it does verify that it won't try     to access a position if the position is greater than the corresponding buffer line. Impact is medium since     the user must have switched on visual mode when executing the :all ex command. The Vim project would like     to thank github user gandalf4a for reporting this issue. The issue has been fixed as of Vim patch     v9.1.1003 (CVE-2025-22134)

    A vulnerability was identified in vim 9.1.0000. Affected is the function __memmove_avx_unaligned_erms of     the file memmove-vec-unaligned-erms.S. The manipulation leads to memory corruption. The attack needs to be     performed locally. The exploit is publicly available and might be used. Some users are not able to     reproduce this. One of the users mentions that this appears not to be working, when coloring is turned     on. (CVE-2025-9389)

    A security flaw has been discovered in vim up to 9.1.1615. Affected by this vulnerability is the function     main of the file src/xxd/xxd.c of the component xxd. The manipulation results in buffer overflow. The     attack requires a local approach. The exploit has been released to the public and may be exploited.
    Upgrading to version 9.1.1616 addresses this issue. The patch is identified as     eeef7c77436a78cd27047b0f5fa6925d56de3cb0. It is recommended to upgrade the affected component.
    (CVE-2025-9390)

    Vim is an open source, command line text editor. Prior to version 9.1.2132, a heap buffer overflow     vulnerability exists in Vim's tag file resolution logic when processing the 'helpfile' option. The     vulnerability is located in the get_tagfname() function in src/tag.c. When processing help file tags, Vim     copies the user-controlled 'helpfile' option value into a fixed-size heap buffer of MAXPATHL + 1 bytes     (typically 4097 bytes) using an unsafe STRCPY() operation without any bounds checking. This issue has been     patched in version 9.1.2132. (CVE-2026-25749)

    Vim is an open source, command line text editor. Prior to 9.1.2148, a stack buffer overflow vulnerability     exists in Vim's NetBeans integration when processing the specialKeys command, affecting Vim builds that     enable and use the NetBeans feature. The Stack buffer overflow exists in special_keys() (in     src/netbeans.c). The while (*tok) loop writes two bytes per iteration into a 64-byte stack buffer (keybuf)     with no bounds check. A malicious NetBeans server can overflow keybuf with a single specialKeys command.
    The issue has been fixed as of Vim patch v9.1.2148. (CVE-2026-26269)

    Vim is an open source, command line text editor. Prior to version 9.2.0073, an OS command injection     vulnerability exists in the `netrw` standard plugin bundled with Vim. By inducing a user to open a crafted     URL (e.g., using the `scp://` protocol handler), an attacker can execute arbitrary shell commands with the     privileges of the Vim process. Version 9.2.0073 fixes the issue. (CVE-2026-28417)

    Vim is an open source, command line text editor. Prior to version 9.2.0074, a heap-based buffer overflow     out-of-bounds read exists in Vim's Emacs-style tags file parsing logic. When processing a malformed tags     file, Vim can be tricked into reading up to 7 bytes beyond the allocated memory boundary. Version 9.2.0074     fixes the issue. (CVE-2026-28418)

    Vim is an open source, command line text editor. Prior to version 9.2.0075, a heap-based buffer underflow     exists in Vim's Emacs-style tags file parsing logic. When processing a malformed tags file where a     delimiter appears at the start of a line, Vim attempts to read memory immediately preceding the allocated     buffer. Version 9.2.0075 fixes the issue. (CVE-2026-28419)

    Vim is an open source, command line text editor. Prior to version 9.2.0076, a heap-based buffer overflow     WRITE and an out-of-bounds READ exist in Vim's terminal emulator when processing maximum combining     characters from Unicode supplementary planes. Version 9.2.0076 fixes the issue. (CVE-2026-28420)

    Vim is an open source, command line text editor. From 9.1.0011 to before 9.2.0137, Vim's NFA regex     compiler, when encountering a collection containing a combining character as the endpoint of a character     range (e.g. [0-0\u05bb]), incorrectly emits the composing bytes of that character as separate NFA states.
    This corrupts the NFA postfix stack, resulting in NFA_START_COLL having a NULL out1 pointer. When     nfa_max_width() subsequently traverses the compiled NFA to estimate match width for the look-behind     assertion, it dereferences state->out1->out without a NULL check, causing a segmentation fault. This     vulnerability is fixed in 9.2.0137. (CVE-2026-32249)

    Command injection via newline in glob()

    NOTE: https://github.com/vim/vim/security/advisories/GHSA-w5jw-f54h-x46c (CVE-2026-33412)

    Vim before 9.2.0272 allows code execution that happens immediately upo ...

    NOTE: https://github.com/vim/vim/security/advisories/GHSA-2gmj-rpqf-pxvhNOTE: Fixed by:
    https://github.com/vim/vim/commit/664701eb7576edb7c7c7d9f2d600815ec1f43459 (v9.2.0272) (CVE-2026-34714)

    A modeline sandbox bypass in Vim allows arbitrary OS command execution when a user opens a crafted file.
    The complete, guitabtooltip and printheader options are missing the P_MLE flag, allowing a modeline to be     executed. Additionally, the mapset() function lacks a check_secure() call, allowing it to be abused from     sandboxed expressions.

    An attacker who can deliver a crafted file to a victim achieves arbitrary command execution with the     privileges of the user running Vim. (CVE-2026-34982)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES15 / SLES_SAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:1095-1 advisory.

    Update Vim to version 9.2.0110:

    - CVE-2025-53906: Fixed that malicious zip archive may cause a path traversal in Vim's zip (bsc#1246602).
    - CVE-2026-26269: Fixed Netbeans specialKeys stack buffer overflow (bsc#1258229).
    - CVE-2026-28417: Fixed crafted URL parsed by netrw plugin can lead to execute arbitrary shell commands     (bsc#1259051).
    - CVE-2026-28418: Fixed that a malformed tags file can cause an heap-based buffer overflow out-of-bounds     read (bsc#1259052)
    - CVE-2026-28419: Fixed processing a malformed tags file containing a delimiter can lead to a crash     (bsc#1259053)
    - CVE-2026-28420: Fixed that processing maximum combining characters in terminal emulator can lead to     heap-based buffer overflow write (bsc#1259054)
    - CVE-2026-28421: Fixed that a crafted swap file can cause a heap-buffer-overflow and a segmentation fault
    - CVE-2026-28422: Fixed that a malicious modeline or plugin can trigger a stack-buffer-overflow     (bsc#1259056)

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES12 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:1051-1 advisory.

    Update Vim to version 9.2.0110:

    - CVE-2025-53906: malicious zip archive may cause a path traversal in Vim's zip (bsc#1246602).
    - CVE-2026-26269: Netbeans specialKeys stack buffer overflow (bsc#1258229).
    - CVE-2026-28417: Fixed that a crafted URL parsed by netrw plugin can lead to execute arbitrary shell     commands (bsc#1259051).
    - CVE-2026-28418: Fixed that a malformed tags file can cause an heap-based buffer overflow out-of-bounds     read (bsc#1259052)
    - CVE-2026-28419: Fixed processing a malformed tags file containing a delimiter can lead to a crash     (bsc#1259053)
    - CVE-2026-28420: Fixed that processing maximum combining characters in terminal emulator can lead to     heap-based buffer overflow write (bsc#1259054)
    - CVE-2026-28421: Fixed that a crafted swap file can cause a heap-buffer-overflow and a segmentation fault
    - CVE-2026-28422: Fixed that a malicious modeline or plugin can trigger a stack-buffer-overflow     (bsc#1259056)

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Tencent Linux installed on the remote TencentOS Server 4 host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the TSSA-2026:0178 advisory.

    Package updates are available for TencentOS Server 4 that fix the following vulnerabilities:

    CVE-2026-28422:
    Vim is an open source, command line text editor. Prior to version 9.2.0078, a stack-buffer-overflow occurs     in `build_stl_str_hl()` when rendering a statusline with a multi-byte fill character on a very wide     terminal. Version 9.2.0078 patches the issue.

    CVE-2026-28421:
    Vim is an open source, command line text editor. Versions prior to 9.2.0077 have a heap-buffer-overflow     and a segmentation fault (SEGV) exist in Vim's swap file recovery logic. Both are caused by unvalidated     fields read from crafted pointer blocks within a swap file. Version 9.2.0077 fixes the issue.

    CVE-2026-28420:
    Vim is an open source, command line text editor. Prior to version 9.2.0076, a heap-based buffer overflow     WRITE and an out-of-bounds READ exist in Vim's terminal emulator when processing maximum combining     characters from Unicode supplementary planes. Version 9.2.0076 fixes the issue.

    CVE-2026-28419:
    Vim is an open source, command line text editor. Prior to version 9.2.0075, a heap-based buffer underflow     exists in Vim's Emacs-style tags file parsing logic. When processing a malformed tags file where a     delimiter appears at the start of a line, Vim attempts to read memory immediately preceding the allocated     buffer. Version 9.2.0075 fixes the issue.

    CVE-2026-28418:
    Vim is an open source, command line text editor. Prior to version 9.2.0074, a heap-based buffer overflow     out-of-bounds read exists in Vim's Emacs-style tags file parsing logic. When processing a malformed tags     file, Vim can be tricked into reading up to 7 bytes beyond the allocated memory boundary. Version 9.2.0074     fixes the issue.

    CVE-2026-28417:
    Vim is an open source, command line text editor. Prior to version 9.2.0073, an OS command injection     vulnerability exists in the `netrw` standard plugin bundled with Vim. By inducing a user to open a crafted     URL (e.g., using the `scp://` protocol handler), an attacker can execute arbitrary shell commands with the     privileges of the Vim process. Version 9.2.0073 fixes the issue.

    CVE-2026-26269:
    Vim is an open source, command line text editor. Prior to 9.1.2148, a stack buffer overflow vulnerability     exists in Vim's NetBeans integration when processing the specialKeys command, affecting Vim builds that     enable and use the NetBeans feature. The Stack buffer overflow exists in special_keys() (in     src/netbeans.c). The while (*tok) loop writes two bytes per iteration into a 64-byte stack buffer (keybuf)     with no bounds check. A malicious NetBeans server can overflow keybuf with a single specialKeys command.
    The issue has been fixed as of Vim patch v9.1.2148.

    CVE-2026-25749:
    Vim is an open source, command line text editor. Prior to version 9.1.2132, a heap buffer overflow     vulnerability exists in Vim's tag file resolution logic when processing the 'helpfile' option. The     vulnerability is located in the get_tagfname() function in src/tag.c. When processing help file tags, Vim     copies the user-controlled 'helpfile' option value into a fixed-size heap buffer of MAXPATHL + 1 bytes     (typically 4097 bytes) using an unsafe STRCPY() operation without any bounds checking. This issue has been     patched in version 9.1.2132.

Tenable has extracted the preceding description block directly from the Tencent Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS / 20.04 LTS / 22.04 LTS / 24.04 LTS / 25.10 host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-8101-1 advisory.

    Rahul Hoysala discovered that Vim did not correctly handle certain tag resolutions. An attacker could     possibly use this issue to cause a denial of service. (CVE-2026-25749)

    It was discovered that Vim did not correctly handle processing certain specialKey commands. An attacker     could possibly use this issue to cause a denial of service or execute arbitrary code. (CVE-2026-26269)

    Kim Dong Han discovered that Vim did not correctly handle opening certain URLs. If a user or system were     tricked into opening a specially crafted file, an attacker could possibly use this issue to execute     arbitrary code. (CVE-2026-28417)

    Kim Dong Han discovered that Vim did not correctly handle parsing Emacs-style tag files. An attacker could     possibly use this issue to cause a denial of service. (CVE-2026-28418, CVE-2026-28419)

    Kim Dong Han discovered that Vim did not correctly handle processing maximum combining characters from     Unicode supplementary planes. An attacker could possibly use this issue to cause a denial of service or     execute arbitrary code. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS,     Ubuntu 24.04 LTS and Ubuntu 25.10. (CVE-2026-28420)

    Kim Dong Han discovered that Vim did not correctly handle swap file recovery. An attacker could possibly     use this issue to cause a denial of service or execute arbitrary code. (CVE-2026-28421)

    Kim Dong Han discovered that Vim did not correctly handle rendering status lines. An attacker could     possibly use this issue to cause a denial of service or execute arbitrary code. (CVE-2026-28422)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:0910-1 advisory.

    Update Vim to version 9.2.0110:

    - CVE-2025-53906: Fixed that malicious zip archive may cause a path traversal in Vim's zip (bsc#1246602).
    - CVE-2026-26269: Fixed Netbeans specialKeys stack buffer overflow (bsc#1258229).
    - CVE-2026-28417: Fixed that a crafted URL parsed by netrw plugin can lead to execute arbitrary shell     commands (bsc#1259051).
    - CVE-2026-28418: Fixed that a malformed tags file can cause an heap-based buffer overflow out-of-bounds     read (bsc#1259052)
    - CVE-2026-28419: Fixed processing a malformed tags file containing a delimiter can lead to a crash     (bsc#1259053)
    - CVE-2026-28420: Fixed that processing maximum combining characters in terminal emulator can lead to     heap-based buffer overflow write (bsc#1259054)
    - CVE-2026-28421: Fixed that a crafted swap file can cause a heap-buffer-overflow and a segmentation fault
    - CVE-2026-28422: Fixed that a malicious modeline or plugin can trigger a stack-buffer-overflow     (bsc#1259056)

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-006132 advisory.

    Vim is an open source, command line text editor. Prior to 9.1.2148, a stack buffer overflow vulnerability     exists in Vim's NetBeans integration when processing the specialKeys command, affecting Vim builds that     enable and use the NetBeans feature. The Stack buffer overflow exists in special_keys() (in     src/netbeans.c). The while (*tok) loop writes two bytes per iteration into a 64-byte stack buffer (keybuf)     with no bounds check. A malicious NetBeans server can overflow keybuf with a single specialKeys command.
    The issue has been fixed as of Vim patch v9.1.2148.

Tenable has extracted the preceding description block directly from the Unity Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Fedora 42 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2026-fea53fa4da advisory.

    Security fix for CVE-2026-26269

Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

An update of the vim package has been released.

The remote Fedora 43 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2026-120874f63c advisory.

    Security fix for CVE-2026-26269

Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - Vim is an open source, command line text editor. Prior to 9.1.2148, a stack buffer overflow vulnerability     exists in Vim's NetBeans integration when processing the specialKeys command, affecting Vim builds that     enable and use the NetBeans feature. The Stack buffer overflow exists in special_keys() (in     src/netbeans.c). The while (*tok) loop writes two bytes per iteration into a 64-byte stack buffer (keybuf)     with no bounds check. A malicious NetBeans server can overflow keybuf with a single specialKeys command.
    The issue has been fixed as of Vim patch v9.1.2148. (CVE-2026-26269)

Note that Nessus relies on the presence of the package as reported by the vendor.

ID	Name	Product	Family	Severity
306195	Amazon Linux 2023 : vim-common, vim-data, vim-default-editor (ALAS2023-2026-1584)	Nessus	Amazon Linux Local Security Checks	medium
304130	SUSE SLES15 Security Update : vim (SUSE-SU-2026:1095-1)	Nessus	SuSE Local Security Checks	high
303938	SUSE SLES12 Security Update : vim (SUSE-SU-2026:1051-1)	Nessus	SuSE Local Security Checks	high
303491	TencentOS Server 4: vim (TSSA-2026:0178)	Nessus	Tencent Local Security Checks	high
303027	Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS / 20.04 LTS / 22.04 LTS / 24.04 LTS / 25.10 : Vim vulnerabilities (USN-8101-1)	Nessus	Ubuntu Local Security Checks	high
303013	SUSE SLED15 / SLES15 / openSUSE 15 Security Update : vim (SUSE-SU-2026:0910-1)	Nessus	SuSE Local Security Checks	high
302295	Unity Linux 20.1070e Security Update: vim (UTSA-2026-006132)	Nessus	Unity Linux Local Security Checks	high
300405	Fedora 42 : vim (2026-fea53fa4da)	Nessus	Fedora Local Security Checks	high
300146	Photon OS 5.0: Vim PHSA-2026-5.0-0774	Nessus	PhotonOS Local Security Checks	high
300116	Photon OS 4.0: Vim PHSA-2026-4.0-0968	Nessus	PhotonOS Local Security Checks	high
300115	Fedora 43 : vim (2026-120874f63c)	Nessus	Fedora Local Security Checks	high
299054	Linux Distros Unpatched Vulnerability : CVE-2026-26269	Nessus	Misc.	high

Detections

Analytics

CVE-2026-26269

high

Tenable Plugins

medium

high

high

high

high

high

high

high

high

high

high

high