Alpine: gvim, multiple vim packages, xxd: security update to 9.2.0078-r0

high Tenable Cloud Security Plugin ID 438170

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- Vim is an open source, command line text editor. Versions prior to 9.2.0077 have a heap-buffer-overflow
and a segmentation fault (SEGV) exist in Vim's swap file recovery logic. Both are caused by unvalidated
fields read from crafted pointer blocks within a swap file. Version 9.2.0077 fixes the issue.
(CVE-2026-28421)

- Vim is an open source, command line text editor. Prior to version 9.2.0073, an OS command injection
vulnerability exists in the `netrw` standard plugin bundled with Vim. By inducing a user to open a crafted
URL (e.g., using the `scp://` protocol handler), an attacker can execute arbitrary shell commands with the
privileges of the Vim process. Version 9.2.0073 fixes the issue. (CVE-2026-28417)

- Vim is an open source, command line text editor. Prior to version 9.2.0074, a heap-based buffer overflow
out-of-bounds read exists in Vim's Emacs-style tags file parsing logic. When processing a malformed tags
file, Vim can be tricked into reading up to 7 bytes beyond the allocated memory boundary. Version 9.2.0074
fixes the issue. (CVE-2026-28418)

- Vim is an open source, command line text editor. Prior to version 9.2.0075, a heap-based buffer underflow
exists in Vim's Emacs-style tags file parsing logic. When processing a malformed tags file where a
delimiter appears at the start of a line, Vim attempts to read memory immediately preceding the allocated
buffer. Version 9.2.0075 fixes the issue. (CVE-2026-28419)

- Vim is an open source, command line text editor. Prior to version 9.2.0076, a heap-based buffer overflow
WRITE and an out-of-bounds READ exist in Vim's terminal emulator when processing maximum combining
characters from Unicode supplementary planes. Version 9.2.0076 fixes the issue. (CVE-2026-28420)

See Also

https://security.alpinelinux.org/vuln/CVE-2026-28417

https://security.alpinelinux.org/vuln/CVE-2026-28418

https://security.alpinelinux.org/vuln/CVE-2026-28419

https://security.alpinelinux.org/vuln/CVE-2026-28420

https://security.alpinelinux.org/vuln/CVE-2026-28421

https://security.alpinelinux.org/vuln/CVE-2026-28422

Plugin Details

Severity: High

ID: 438170

Version: Revision 1.5

Type: Local

Published: 3/4/2026

Updated: 5/6/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 6.9

Percentile: 96.95

CVSS v2

Risk Factor: High

Base Score: 7.2

Temporal Score: 5.3

Vector: CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2026-28421

CVSS v3

Risk Factor: High

Base Score: 7.8

Temporal Score: 6.8

Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 2/27/2026

Reference Information

CVE: CVE-2026-28417, CVE-2026-28418, CVE-2026-28419, CVE-2026-28420, CVE-2026-28421, CVE-2026-28422