SB20260619120 - Ubuntu update for vim
Published: June 19, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 5 vulnerabilities.
1) Code Injection (CVE-ID: CVE-2026-47162)
CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to improper control of code generation in s:NetrwBookHistSave() in the netrw plugin when serializing browsed directory paths to the history file. A remote attacker can create a specially crafted directory name to execute arbitrary code.
User interaction is required to browse the crafted directory with netrw and later open any directory so the history file is sourced. The injected content persists in the history file until the entry is rotated out.
2) Eval Injection (CVE-ID: CVE-2026-47167)
CWE-ID: CWE-95 - Eval Injection
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to execute arbitrary code.
The vulnerability exists due to improper neutralization of directives in dynamically evaluated code in s:stepmatch() in the cucumber filetype plugin when processing crafted step-definition regex patterns from repository .rb files during step-jump handling. A remote attacker can place a specially crafted step-definition pattern in an attacker-controlled repository to execute arbitrary code.
Exploitation requires a Vim build with +ruby support and user interaction to invoke a step-jump mapping on a matching feature line.
3) Code Injection (CVE-ID: CVE-2026-52858)
CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a local user to execute arbitrary code.
The vulnerability exists due to improper control of code generation in python omni-completion in python3complete.vim when processing a crafted Python file during omni-completion. A local user can place a crafted Python file with attacker-controlled import statements and a sibling package in the working directory to execute arbitrary code.
User interaction is required to invoke omni-completion with CTRL-X CTRL-O while editing the crafted Python file, and the issue affects builds with the Python interpreter enabled and filetype plugins active.
4) Out-of-bounds read (CVE-ID: CVE-2026-52859)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to out-of-bounds read in the update_snapshot() function in src/terminal.c when processing terminal screen snapshots in a :terminal window. A local user can emit terminal output containing a cell with a base character and five combining marks to cause a denial of service.
The issue can be triggered when the user enters Terminal-Normal mode or when the terminal job exits.
5) Code Injection (CVE-ID: CVE-2026-52860)
CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a local user to execute arbitrary code.
The vulnerability exists due to improper control of code generation in Python omni-completion in runtime/autoload/python3complete.vim and pythoncomplete.vim when reconstructing and executing function and class definitions from a hostile Python buffer during omni-completion. A local user can trick the victim into opening or editing a crafted Python buffer and triggering omni-completion to execute arbitrary code.
Only builds with +python3 or +python are affected, and triggering omni-completion in the hostile buffer is required.
Remediation
Install update from vendor's website.