Home / mailingsPDF  

[USN-8101-1] Vim vulnerabilities

Posted on 18 March 2026
Ubuntu Security

==========================================================================Ubuntu Security Notice USN-8101-1
March 16, 2026

vim vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 25.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS

Summary:

Several security issues were fixed in Vim.

Software Description:
- vim: Vi IMproved - enhanced vi editor

Details:

Rahul Hoysala discovered that Vim did not correctly handle certain tag
resolutions. An attacker could possibly use this issue to cause a denial
of service. (CVE-2026-25749)

It was discovered that Vim did not correctly handle processing certain
specialKey commands. An attacker could possibly use this issue to cause a
denial of service or execute arbitrary code. (CVE-2026-26269)

Kim Dong Han discovered that Vim did not correctly handle opening certain
URLs. If a user or system were tricked into opening a specially crafted
file, an attacker could possibly use this issue to execute arbitrary code.
(CVE-2026-28417)

Kim Dong Han discovered that Vim did not correctly handle parsing
Emacs-style tag files. An attacker could possibly use this issue to cause
a denial of service. (CVE-2026-28418, CVE-2026-28419)

Kim Dong Han discovered that Vim did not correctly handle processing
maximum combining characters from Unicode supplementary planes. An attacker
could possibly use this issue to cause a denial of service or execute
arbitrary code. This issue only affected Ubuntu 18.04 LTS,
Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS and Ubuntu 25.10.
(CVE-2026-28420)

Kim Dong Han discovered that Vim did not correctly handle swap file
recovery. An attacker could possibly use this issue to cause a denial of
service or execute arbitrary code. (CVE-2026-28421)

Kim Dong Han discovered that Vim did not correctly handle rendering
status lines. An attacker could possibly use this issue to cause a denial
of service or execute arbitrary code. (CVE-2026-28422)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 25.10
vim 2:9.1.0967-1ubuntu6.1

Ubuntu 24.04 LTS
vim 2:9.1.0016-1ubuntu7.10

Ubuntu 22.04 LTS
vim 2:8.2.3995-1ubuntu2.26

Ubuntu 20.04 LTS
vim 2:8.1.2269-1ubuntu5.32+esm2
Available with Ubuntu Pro

Ubuntu 18.04 LTS
vim 2:8.0.1453-1ubuntu1.13+esm14
Available with Ubuntu Pro

Ubuntu 16.04 LTS
vim 2:7.4.1689-3ubuntu1.5+esm29
Available with Ubuntu Pro

Ubuntu 14.04 LTS
vim 2:7.4.052-1ubuntu3.1+esm23
Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-8101-1
CVE-2026-25749, CVE-2026-26269, CVE-2026-28417, CVE-2026-28418,
CVE-2026-28419, CVE-2026-28420, CVE-2026-28421, CVE-2026-28422

Package Information:
https://launchpad.net/ubuntu/+source/vim/2:9.1.0967-1ubuntu6.1
https://launchpad.net/ubuntu/+source/vim/2:9.1.0016-1ubuntu7.10
https://launchpad.net/ubuntu/+source/vim/2:8.2.3995-1ubuntu2.26

--===============0579892102185781830==Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature

 

TOP

Mailings :

Exploits :