Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <agX+lrPZrSvoV2jW@256bit.org>
Date: Thu, 14 May 2026 18:55:50 +0200
From: Christian Brabandt <cblists@...bit.org>
To: oss-security@...ts.openwall.com
Subject: [vim-security] Vimscript Code Injection in netrw NetrwMarkFile() via
 crafted filename affects Vim < 9.2.480


Vimscript Code Injection in netrw NetrwMarkFile() via crafted filename affects Vim < 9.2.480
============================================================================================
Date: 14.05.2026
Severity: Medium
CVE: CVE-2026-43961
CWE: Improper Control of Generation of Code (CWE-94) /
     Improper Neutralization of Special Elements in Output Used by a Downstream Component (CWE-74)

## Summary
A Vimscript code injection vulnerability exists in `s:NetrwMarkFile()` in the
netrw plugin (`runtime/pack/dist/opt/netrw/autoload/netrw.vim`) when
unmarking files from the global marked-file list.  A filename derived
from the buffer's directory listing is interpolated into a string
expression passed to `filter()`, allowing a crafted filename containing
a double quote to break out of the quoted string literal and execute
arbitrary Vimscript, including shell commands via `execute()` and `:!`.

## Description
`s:NetrwMarkFile()` maintains two marked-file lists: a buffer-local list
and a global list.  When a file is unmarked, both lists are updated.
The buffer-local list uses the safe pattern:

    call filter(s:netrwmarkfilelist_{curbufnr},'v:val != a:fname')

where `a:fname` is referenced as a variable inside the filter expression
and resolved at evaluation time.  The global list, however, interpolated
the filename's value directly into the expression string:

    let dname = netrw#fs#ComposePath(b:netrw_curdir, a:fname)
    ...
    call filter(s:netrwmarkfilelist, 'v:val != "'.dname.'"')

When `filter()` receives a string argument, the string is parsed as a
Vimscript expression.  A filename containing `"` terminates the quoted
literal early, after which the remainder of the filename is evaluated as
Vimscript.  Calls such as `execute("!cmd")` inside the injected fragment
run arbitrary Ex commands with the privileges of the user running Vim.
The filename reaches `s:NetrwMarkFile()` through the `mf` mapping, which
calls `s:NetrwGetWord()` to read the filename from the current line of
the netrw directory listing.  The injection only triggers on the second
`mf` press for a given entry, because the first press takes the
`add()` branch and only the second takes the vulnerable `filter()`
branch.

## Impact
The vulnerability allows arbitrary Vimscript execution, and by extension
arbitrary shell command execution, with the privileges of the user
running Vim.  Exploitation requires:
- a Unix-like system on which a filename may contain a double quote,
- a crafted file present in a directory the victim browses with netrw,
  and
- the victim to invoke `mf` twice on that specific entry to mark and
  then unmark it.
The severity is rated Medium because exploitation requires a planted
file with an unusual name and a deliberate mark/unmark action by the
victim on that specific entry, although the resulting primitive is full
command execution as the victim user.

Note: due to the nature of the issue, it seems highly unlikely that a user
would press mf twice on such a suspicious filename.

## Acknowledgements
The Vim project would like to thank Aisle Research for reporting and
analyzing the issue.

## References
The issue has been fixed as of Vim patch [v9.2.480](https://github.com/vim/vim/releases/tag/v9.2.0480).
- [Commit](https://github.com/vim/vim/commit/8af0f098c3a42a28661d0295364e)
- [Github Security Advisory](https://github.com/vim/vim/security/advisories/GHSA-66hr-7p6x-x5j3)


Thanks,
Chris
-- 
Lee's Law:
	Mother said there would be days like this,
	but she never said that there'd be so many!

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.