SB2026070315 - Ubuntu update for vim



SB2026070315 - Ubuntu update for vim

Published: July 3, 2026

Security Bulletin ID SB2026070315
CSH Severity
High
Patch available
YES
Number of vulnerabilities 8
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 25% Medium 63% Low 13%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 8 vulnerabilities.


1) Path traversal (CVE-ID: CVE-2026-35177)

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to overwrite arbitrary files.

The vulnerability exists due to path traversal in zip.vim when processing specially crafted zip archives. A remote attacker can trick the victim into opening a crafted archive and editing a malicious file within it to overwrite arbitrary files.

User interaction is required, and the file is written when the victim attempts to save it using :w.


2) Out-of-bounds write (CVE-ID: CVE-2026-55693)

CWE-ID: CWE-787 - Out-of-bounds write

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to out-of-bounds write in the tree_count_words() function in src/spellfile.c when parsing a crafted .spl/.sug spell file pair during spell suggestion loading. A remote attacker can supply a specially crafted spell file pair to cause a denial of service.

User interaction is required: spell checking must be enabled and the user must invoke spell suggestion on a misspelled word.


3) Out-of-bounds write (CVE-ID: CVE-2026-55892)

CWE-ID: CWE-787 - Out-of-bounds write

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to out-of-bounds write in the dump_prefixes() function in src/spell.c when parsing a crafted .spl spell file during word list dumping. A remote attacker can supply a crafted spell file to cause a denial of service.

User interaction is required: spell checking must be enabled and the user must dump the word list, such as via :spelldump or spelling completion.


4) Code Injection (CVE-ID: CVE-2026-55895)

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to improper control of code generation in s:NetrwLocalRmFile() in the netrw plugin when deleting a local file from the browser using a crafted filename from the directory listing. A remote attacker can place a file with a crafted name containing Ex command separators and trick the victim into deleting that entry to execute arbitrary code.

User interaction is required to delete the specific crafted file entry, and exploitation is limited to environments where filenames may contain the bar character.


5) Out-of-bounds read (CVE-ID: CVE-2026-57452)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to out-of-bounds read in crypt_sodium_buffer_decode() when parsing a crafted libsodium-encrypted file. A remote attacker can trick the victim into opening a crafted file and entering a key to cause a denial of service.

Only instances built with the +sodium feature are vulnerable, and the issue affects files using the VimCrypt~04! or VimCrypt~05! encryption method.


6) Command injection (CVE-ID: CVE-2026-57453)

CWE-ID: CWE-77 - Command injection

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to execute arbitrary commands.

The vulnerability exists due to command injection in autoload/zip.vim PowerShell helper functions when processing crafted zip archive entry names via the PowerShell fallback. A remote attacker can trick the victim into opening, viewing, or extracting a crafted zip archive to execute arbitrary commands.

The vulnerable code path is reached only when Vim falls back to PowerShell instead of using external zip or unzip tools. User interaction is required to open, view, or extract the crafted archive entry.


7) Out-of-bounds write (CVE-ID: CVE-2026-57455)

CWE-ID: CWE-787 - Out-of-bounds write

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to out-of-bounds write in the single-byte branch of spell_soundfold_sofo() in src/spell.c when processing an over-long word through SOFO sound-folding. A local user can supply a specially crafted over-long word to cause a denial of service.

The vulnerable path is only reached under a non-multibyte 8-bit encoding such as latin1, with spell checking enabled for a language that uses a SOFO sound-folding table.


8) Code Injection (CVE-ID: CVE-2026-57456)

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to improper control of code generation in Python omni-completion docstring handling in runtime/autoload/python3complete.vim and pythoncomplete.vim when processing a hostile Python buffer during omni-completion. A remote attacker can craft a malicious docstring and convince a user to trigger Python omni-completion to execute arbitrary code.

User interaction is required to open or edit a hostile Python buffer and trigger Python omni-completion. Only builds with +python3 or +python support are affected.


Remediation

Install update from vendor's website.