CVE-2026-46483 vim CVE debrief

Who should care

Vim users on Unix-like systems who regularly work with .tgz archives, particularly in environments where archives may originate from untrusted sources. System administrators managing multi-user environments with Vim installations. Security teams monitoring for local privilege escalation vectors in text editor plugins.

Technical summary

The tar#Vimuntar() function in Vim's runtime/autoload/tar.vim improperly uses shellescape() without the {special} flag when constructing shell commands for decompressing .tgz archives. This allows cmdline-special characters in crafted filenames to be expanded by Vim, resulting in arbitrary command execution. The vulnerability is local, requires user interaction to open a malicious archive, and has been fixed in Vim 9.2.0479.

Defensive priority

routine

Recommended defensive actions

• Upgrade Vim to version 9.2.0479 or later to eliminate the command injection vulnerability in the tar plugin
• If immediate patching is not feasible, avoid opening .tgz archives with untrusted or suspicious filenames in Vim
• Review and restrict use of Vim's tar plugin in environments where users may encounter archives from untrusted sources
• Monitor for anomalous shell command execution in user contexts where Vim is used to inspect archive contents

Evidence notes

Vulnerability confirmed through official GitHub security advisory and NVD analysis. Patch commit 3fb5e58fbc63d86a3e65f1a141b0d67af2aa38a1 addresses the issue by properly escaping special characters. CVSS 3.6 (LOW) reflects limited impact due to local attack vector and high complexity.

Official resources