SB2026062638 - Anolis OS update for vim
Published: June 26, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 vulnerabilities.
1) OS Command Injection (CVE-ID: CVE-2026-41411)
CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVSSv4: CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:A/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to execute arbitrary shell commands.
The vulnerability exists due to improper neutralization of special elements used in an os command in tag file processing when resolving tag filenames from a tags file. A remote attacker can place a specially crafted tags file entry containing backtick syntax and trigger tag navigation to execute arbitrary shell commands.
User interaction is required to perform tag navigation such as :tag, Ctrl-], or vim -t after opening Vim in a directory containing a malicious tags file.
2) Out-of-bounds read (CVE-ID: CVE-2026-52859)
CWE-ID: CWE-125 - Out-of-bounds read
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a local user to cause a denial of service.
The vulnerability exists due to out-of-bounds read in the update_snapshot() function in src/terminal.c when processing terminal screen snapshots in a :terminal window. A local user can emit terminal output containing a cell with a base character and five combining marks to cause a denial of service.
The issue can be triggered when the user enters Terminal-Normal mode or when the terminal job exits.
Remediation
Install update from vendor's website.