Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <adVQtx62JGiqoBC1@256bit.org>
Date: Tue, 7 Apr 2026 20:45:11 +0200
From: Christian Brabandt <cb@...bit.org>
To: oss-security@...ts.openwall.com
Subject: [vim-security] Netbeans command injection in Vim < v9.2.0316

Netbeans command injection in Vim < v9.2.0316
=============================================
Date: 07.04.2026
Severity: Medium
CVE: *requested, but not yet assigned*
CWE: Improper Neutralization of Special Elements used in an OS Command (CWE-78)

## Summary
A command injection vulnerability in Vim's netbeans interface allows a malicious
netbeans server to execute arbitrary Ex commands when Vim connects to it, via
unsanitized strings in the defineAnnoType and specialKeys protocol messages.

## Description
Vim includes a netbeans interface (`:help netbeans`) which allows an external
editor server to communicate with Vim over a TCP connection. The interface
handles a `defineAnnoType` message that defines sign and highlight group names,
and a `specialKeys` message that defines key mappings.

In `defineAnnoType`, the `typeName`, `fg`, and `bg` fields are interpolated
directly into Ex commands via `coloncmd()` without sanitization. Because Vim
interprets `|` as a command separator in Ex commands, a malicious server can
inject arbitrary Ex commands by embedding `|cmd|` in any of these fields.

Similarly, in `specialKeys`, key tokens are passed unsanitized into a map
command string, allowing injection via characters such as `|` or `<`.

Exploitation requires:
- The user starts Vim with the `-nb` flag pointing to a server controlled by
  the attacker (e.g. `vim -nb:localhost:PORT:pwd file`).
- The attacker's server sends a malicious `defineAnnoType` or `specialKeys`
  message after the connection handshake.

## Impact
Impact is **medium**. Exploitation requires the user to connect to a malicious
netbeans server, but once connected, arbitrary Ex commands could be executed,
although Vim may output error messages. This can lead to arbitrary file reads
and writes, or further code execution via Ex commands such as `:call system()`.

## Acknowledgements
The Vim project would like to thank Github user @Wang1rrr for identifying the
vulnerability.

## References
The issue has been fixed as of Vim patch [v9.2.0316](https://github.com/vim/vim/releases/tag/v9.2.0316).

- [Commit](https://github.com/vim/vim/commit/7ab76a86048ed492374ac6b19)
- [GitHub Advisory](https://github.com/vim/vim/security/advisories/GHSA-mr87-rhgv-7pw6)


Best,
Christian
-- 
Nichts hasset man so, als die erste Äußerung eines Lasters, das man
nicht erwartet.
		-- Jean Paul

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.