Detections
Analytics

Amazon Linux 2023 : vim-common, vim-data, vim-default-editor (ALAS2023-2026-1584)

medium Nessus Plugin ID 306195

Synopsis

The remote Amazon Linux 2023 host is missing a security update.

Description

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1584 advisory.

 When switching to other buffers using the :all command and visual mode still being active, this may cause a heap-buffer overflow, because Vim does not properly end visual mode and therefore may try to access beyond the end of a line in a buffer. In Patch 9.1.1003 Vim will correctly reset the visual mode before opening other windows and buffers and therefore fix this bug. In addition it does verify that it won't try to access a position if the position is greater than the corresponding buffer line. Impact is medium since the user must have switched on visual mode when executing the :all ex command. The Vim project would like to thank github user gandalf4a for reporting this issue. The issue has been fixed as of Vim patch v9.1.1003 (CVE-2025-22134)

 A vulnerability was identified in vim 9.1.0000. Affected is the function __memmove_avx_unaligned_erms of the file memmove-vec-unaligned-erms.S. The manipulation leads to memory corruption. The attack needs to be performed locally. The exploit is publicly available and might be used. Some users are not able to reproduce this. One of the users mentions that this appears not to be working, when coloring is turned on. (CVE-2025-9389)

 A security flaw has been discovered in vim up to 9.1.1615. Affected by this vulnerability is the function main of the file src/xxd/xxd.c of the component xxd. The manipulation results in buffer overflow. The attack requires a local approach. The exploit has been released to the public and may be exploited.
 Upgrading to version 9.1.1616 addresses this issue. The patch is identified as eeef7c77436a78cd27047b0f5fa6925d56de3cb0. It is recommended to upgrade the affected component.
 (CVE-2025-9390)

 Vim is an open source, command line text editor. Prior to version 9.1.2132, a heap buffer overflow vulnerability exists in Vim's tag file resolution logic when processing the 'helpfile' option. The vulnerability is located in the get_tagfname() function in src/tag.c. When processing help file tags, Vim copies the user-controlled 'helpfile' option value into a fixed-size heap buffer of MAXPATHL + 1 bytes (typically 4097 bytes) using an unsafe STRCPY() operation without any bounds checking. This issue has been patched in version 9.1.2132. (CVE-2026-25749)

 Vim is an open source, command line text editor. Prior to 9.1.2148, a stack buffer overflow vulnerability exists in Vim's NetBeans integration when processing the specialKeys command, affecting Vim builds that enable and use the NetBeans feature. The Stack buffer overflow exists in special_keys() (in src/netbeans.c). The while (*tok) loop writes two bytes per iteration into a 64-byte stack buffer (keybuf) with no bounds check. A malicious NetBeans server can overflow keybuf with a single specialKeys command.
 The issue has been fixed as of Vim patch v9.1.2148. (CVE-2026-26269)

 Vim is an open source, command line text editor. Prior to version 9.2.0073, an OS command injection vulnerability exists in the `netrw` standard plugin bundled with Vim. By inducing a user to open a crafted URL (e.g., using the `scp://` protocol handler), an attacker can execute arbitrary shell commands with the privileges of the Vim process. Version 9.2.0073 fixes the issue. (CVE-2026-28417)

 Vim is an open source, command line text editor. Prior to version 9.2.0074, a heap-based buffer overflow out-of-bounds read exists in Vim's Emacs-style tags file parsing logic. When processing a malformed tags file, Vim can be tricked into reading up to 7 bytes beyond the allocated memory boundary. Version 9.2.0074 fixes the issue. (CVE-2026-28418)

 Vim is an open source, command line text editor. Prior to version 9.2.0075, a heap-based buffer underflow exists in Vim's Emacs-style tags file parsing logic. When processing a malformed tags file where a delimiter appears at the start of a line, Vim attempts to read memory immediately preceding the allocated buffer. Version 9.2.0075 fixes the issue. (CVE-2026-28419)

 Vim is an open source, command line text editor. Prior to version 9.2.0076, a heap-based buffer overflow WRITE and an out-of-bounds READ exist in Vim's terminal emulator when processing maximum combining characters from Unicode supplementary planes. Version 9.2.0076 fixes the issue. (CVE-2026-28420)

 Vim is an open source, command line text editor. From 9.1.0011 to before 9.2.0137, Vim's NFA regex compiler, when encountering a collection containing a combining character as the endpoint of a character range (e.g. [0-0\u05bb]), incorrectly emits the composing bytes of that character as separate NFA states.
 This corrupts the NFA postfix stack, resulting in NFA_START_COLL having a NULL out1 pointer. When nfa_max_width() subsequently traverses the compiled NFA to estimate match width for the look-behind assertion, it dereferences state->out1->out without a NULL check, causing a segmentation fault. This vulnerability is fixed in 9.2.0137. (CVE-2026-32249)

 Command injection via newline in glob()

 NOTE: https://github.com/vim/vim/security/advisories/GHSA-w5jw-f54h-x46c (CVE-2026-33412)

 Vim before 9.2.0272 allows code execution that happens immediately upo ...

 NOTE: https://github.com/vim/vim/security/advisories/GHSA-2gmj-rpqf-pxvhNOTE: Fixed by:
 https://github.com/vim/vim/commit/664701eb7576edb7c7c7d9f2d600815ec1f43459 (v9.2.0272) (CVE-2026-34714)

 A modeline sandbox bypass in Vim allows arbitrary OS command execution when a user opens a crafted file.
 The complete, guitabtooltip and printheader options are missing the P_MLE flag, allowing a modeline to be executed. Additionally, the mapset() function lacks a check_secure() call, allowing it to be abused from sandboxed expressions.

 An attacker who can deliver a crafted file to a victim achieves arbitrary command execution with the privileges of the user running Vim. (CVE-2026-34982)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Run 'dnf update vim --releasever 2023.11.20260413' or or 'dnf update --advisory ALAS2023-2026-1584 --releasever 2023.11.20260413' to update your system.

See Also

https://explore.alas.aws.amazon.com/CVE-2026-33412.html

https://explore.alas.aws.amazon.com/CVE-2026-34714.html

https://explore.alas.aws.amazon.com/CVE-2026-34982.html

https://alas.aws.amazon.com//AL2023/ALAS2023-2026-1584.html

https://alas.aws.amazon.com/faqs.html

https://explore.alas.aws.amazon.com/CVE-2025-22134.html

https://explore.alas.aws.amazon.com/CVE-2025-9389.html

https://explore.alas.aws.amazon.com/CVE-2025-9390.html

https://explore.alas.aws.amazon.com/CVE-2026-25749.html

https://explore.alas.aws.amazon.com/CVE-2026-26269.html

https://explore.alas.aws.amazon.com/CVE-2026-28417.html

https://explore.alas.aws.amazon.com/CVE-2026-28418.html

https://explore.alas.aws.amazon.com/CVE-2026-28419.html

https://explore.alas.aws.amazon.com/CVE-2026-28420.html

https://explore.alas.aws.amazon.com/CVE-2026-32249.html

Plugin Details

Severity: Medium

ID: 306195

File Name: al2023_ALAS2023-2026-1584.nasl

Version: 1.2

Type: Local

Agent: unix

Published: 4/13/2026

Updated: 4/14/2026

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: High

Score: 8.1

CVSS v2

Risk Factor: High

Base Score: 7.6

Temporal Score: 6

Vector: CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2026-26269

CVSS v3

Risk Factor: High

Base Score: 8.6

Temporal Score: 7.7

Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS Score Source: CVE-2026-34714

CVSS v4

Risk Factor: Medium

Base Score: 4.8

Threat Score: 1.9

Threat Vector: CVSS:4.0/E:P

Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

CVSS Score Source: CVE-2025-9390

Vulnerability Information

CPE: p-cpe:/a:amazon:linux:vim-filesystem, p-cpe:/a:amazon:linux:vim-data, p-cpe:/a:amazon:linux:vim-enhanced-debuginfo, p-cpe:/a:amazon:linux:vim-common, p-cpe:/a:amazon:linux:vim-minimal-debuginfo, p-cpe:/a:amazon:linux:xxd-debuginfo, p-cpe:/a:amazon:linux:xxd, p-cpe:/a:amazon:linux:vim-minimal, p-cpe:/a:amazon:linux:vim-enhanced, p-cpe:/a:amazon:linux:vim-default-editor, p-cpe:/a:amazon:linux:vim-debuginfo, cpe:/o:amazon:linux:2023, p-cpe:/a:amazon:linux:vim-debugsource

Required KB Items: Host/local_checks_enabled, Host/AmazonLinux/release, Host/AmazonLinux/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 4/13/2026

Vulnerability Publication Date: 1/13/2025

Reference Information

CVE: CVE-2025-22134, CVE-2025-9389, CVE-2025-9390, CVE-2026-25749, CVE-2026-26269, CVE-2026-28417, CVE-2026-28418, CVE-2026-28419, CVE-2026-28420, CVE-2026-32249, CVE-2026-33412, CVE-2026-34714, CVE-2026-34982