SB20260529238 - SUSE update for vim
Published: May 29, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 6 vulnerabilities.
1) OS Command Injection (CVE-ID: CVE-2026-39881)
CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper input validation in NetBeans integration. A remote user can pass specially crafted data to the application and execute arbitrary OS commands on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
2) OS Command Injection (CVE-ID: CVE-2026-42307)
CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to execute arbitrary shell commands.
The vulnerability exists due to improper neutralization of special elements used in an OS command in the netrw standard plugin function s:GetTempfile() when processing crafted local or remote URLs. A remote attacker can trick the victim into opening a crafted URL to execute arbitrary shell commands.
User interaction is required to open a crafted URL, and the injected payload is typically visible in the filename.
3) Code Injection (CVE-ID: CVE-2026-43961)
CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a local user to execute arbitrary Vimscript and shell commands.
The vulnerability exists due to improper control of generation of code in s:NetrwMarkFile() in the netrw plugin when unmarking files from the global marked-file list. A local user can create a crafted filename containing a double quote and induce the victim to mark and unmark that entry to execute arbitrary Vimscript and shell commands.
User interaction is required, and the issue only triggers on the second mf press for a given entry. Exploitation requires a Unix-like system on which filenames may contain a double quote.
4) OS Command Injection (CVE-ID: CVE-2026-44656)
CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to execute arbitrary shell commands.
The vulnerability exists due to command injection in the :find command-line completion path when processing a file with a modeline that sets the 'path' option to include backtick-enclosed shell commands and the user triggers file name completion. A remote attacker can supply a crafted file to execute arbitrary shell commands.
User interaction is required to open the crafted file and trigger completion, and exploitation via modeline requires the 'modeline' feature to be enabled.
5) Heap-based buffer overflow (CVE-ID: CVE-2026-45130)
CWE-ID: CWE-122 - Heap-based Buffer Overflow
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to heap-based buffer overflow in read_compound() in src/spellfile.c when loading a crafted .spl spell file with UTF-8 encoding active. A remote attacker can trick the victim into opening a text file with a crafted modeline or otherwise cause Vim to load a planted spell file to cause a denial of service.
User interaction is required, and exploitation requires a malicious .spl file to be present on the runtimepath while UTF-8 encoding is active.
6) OS Command Injection (CVE-ID: CVE-2026-46483)
CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to execute arbitrary shell commands.
The vulnerability exists due to improper neutralization of special elements in tar#Vimuntar() in runtime/autoload/tar.vim when decompressing .tgz archives via :Vimuntar on Unix-like systems. A remote attacker can supply a crafted archive filename to execute arbitrary shell commands.
User interaction is required to open the crafted file and invoke the non-routine :Vimuntar command, and only Unix-like systems with the tar plugin enabled are vulnerable.
Remediation
Install update from vendor's website.