CVE-2026-44656

Publication date 8 May 2026

Last updated 14 May 2026

Ubuntu priority

Description

Vim is an open source, command line text editor. Prior to version 9.2.0435, an OS command injection vulnerability exists in Vim's :find command-line completion. When the path option contains backtick-enclosed shell commands, those commands are executed during file name completion. Because the path option lacks the P_SECURE flag, it can be set from a modeline, allowing an attacker who controls the contents of a file to execute arbitrary shell commands when the user opens that file in Vim and triggers :find completion. This issue has been patched in version 9.2.0435.

Status

Show unmaintained releases

Package	Ubuntu Release	Status
vim	26.04 LTS resolute	Vulnerable
	25.10 questing	Vulnerable
	24.04 LTS noble	Vulnerable
	22.04 LTS jammy	Vulnerable
	20.04 LTS focal	Vulnerable
	18.04 LTS bionic	Vulnerable
	16.04 LTS xenial	Vulnerable
	14.04 LTS trusty	Vulnerable

How can I get the fixes?
What do statuses mean?

References

MITRE
NVD
Launchpad
Debian

Other references

https://www.cve.org/CVERecord?id=CVE-2026-44656
https://github.com/vim/vim/security/advisories/GHSA-hwg5-3cxw-wvvg
https://github.com/vim/vim/commit/190cb3c2b9c769a3972bcfd991a7b5b6cb771ef0
https://github.com/vim/vim/releases/tag/v9.2.0435

CVE-2026-44656

Description

Status

References

Other references

Access our resources on patching vulnerabilities