Detections
Analytics

Alpine: gvim, multiple vim packages, xxd: security update to 9.2.0699-r0

high Tenable Cloud Security Plugin ID 443965

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

 - Vim is an open source, command line text editor. Prior to 9.2.0698, the single-byte branch of
 spell_soundfold_sofo() in src/spell.c translates a word through a spell file's SOFO (sound-folding) byte
 map into a caller-owned result buffer. Its copy loop advances the output index ri with no upper bound and
 terminates only on the input NUL, writing one byte per input byte into the MAXWLEN-element stack buffer
 the caller provides. A word longer than MAXWLEN, passed to soundfold() (or reached via sound-based spell
 suggestion) while a SOFO-based spell language is active, therefore writes past the end of that buffer.
 This is a stack out-of-bounds write that corrupts the call frame and crashes the editor. This
 vulnerability is fixed in 9.2.0698. (CVE-2026-57455)

 - Vim is an open source, command line text editor. Prior to 9.2.0699, Vim's Python omni-completion
 (runtime/autoload/python3complete.vim and the legacy pythoncomplete.vim) executes reconstructed function
 and class definitions from the current buffer with exec() as part of populating the completion dictionary.
 When reconstructing that source, each scope's docstring is inserted verbatim between triple quotes with no
 escaping, so a hostile buffer can break out of the triple-quoted literal and execute attacker-controlled
 Python during omni-completion. This vulnerability is fixed in 9.2.0699. (CVE-2026-57456)

Solution

Update the gvim library and its related packages to version 9.2.0699-r0 or later.

See Also

https://security.alpinelinux.org/vuln/CVE-2026-57455

https://security.alpinelinux.org/vuln/CVE-2026-57456

Plugin Details

Severity: High

ID: 443965

Version: Revision 1.2

Type: Local

Published: 6/26/2026

Updated: 6/26/2026

Supported Sensors: Agentless Assessment

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 7.2

Temporal Score: 5.3

Vector: CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2026-57456

CVSS v3

Risk Factor: High

Base Score: 7.8

Temporal Score: 6.8

Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: High

Base Score: 8.4

Threat Score: 5.7

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 6/25/2026

Reference Information

CVE: CVE-2026-57455, CVE-2026-57456