Bug 35167 - vim new security issues CVE-2026-2841[7-9], CVE-2026-2842[0-2]
Summary: vim new security issues CVE-2026-2841[7-9], CVE-2026-2842[0-2]
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2026-03-02 10:36 CET by Nicolas Salguero
Modified: 2026-03-06 04:02 CET (History)
3 users (show)

See Also:
Source RPM: vim-9.1.2148-1.mga9.src.rpm
CVE: CVE-2026-28417, CVE-2026-28418, CVE-2026-28419, CVE-2026-28420, CVE-2026-28421, CVE-2026-28422
Status comment:
herman.viaene: test_passed_mga9_64+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Nicolas Salguero 2026-03-02 10:38:01 CET

Source RPM: (none) => vim-9.1.2148-2.mga10.src.rpm, vim-9.1.2148-1.mga9.src.rpm
CVE: (none) => CVE-2026-28417, CVE-2026-28418, CVE-2026-28419, CVE-2026-28420, CVE-2026-28421, CVE-2026-28422
Status comment: (none) => Fixed upstream in 9.2.0078
Flags: (none) => affects_mga9+
Whiteboard: (none) => MGA9TOO

Comment 1 Lewis Smith 2026-03-02 21:02:11 CET 
Thank goodness the new version fixes everything.
Not sure who does vim now, so assigning globally. It could Be Nicolas.

Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2026-03-04 11:13:57 CET 
For Cauldron, I asked for a freeze move.


Suggested advisory:
========================

The updated packages fix security vulnerabilities:

OS Command Injection in netrw affects Vim < 9.2.0073. (CVE-2026-28417)

Heap-based Buffer Overflow in Emacs tags parsing affects Vim < 9.2.0074. (CVE-2026-28418)

Heap-based Buffer Underflow in Emacs tags parsing affects Vim < 9.2.0075. (CVE-2026-28419)

Heap-based Buffer Overflow and OOB Read in :terminal affects Vim < 9.2.0076. (CVE-2026-28420)

Multiple Vulnerabilities in Swap File Recovery affect Vim < 9.2.0077. (CVE-2026-28421)

Stack-buffer-overflow in build_stl_str_hl() affects Vim < 9.2.0078. (CVE-2026-28422)

References:
https://www.openwall.com/lists/oss-security/2026/02/27/6
https://www.openwall.com/lists/oss-security/2026/02/27/7
https://www.openwall.com/lists/oss-security/2026/02/27/8
https://www.openwall.com/lists/oss-security/2026/02/27/9
https://www.openwall.com/lists/oss-security/2026/02/27/10
https://www.openwall.com/lists/oss-security/2026/02/27/11
========================

Updated packages in core/updates_testing:
========================
vim-X11-9.2.106-1.mga9
vim-common-9.2.106-1.mga9
vim-enhanced-9.2.106-1.mga9
vim-minimal-9.2.106-1.mga9

from SRPM:
vim-9.2.106-1.mga9.src.rpm

Flags: affects_mga9+ => (none)
Assignee: pkg-bugs => qa-bugs
Source RPM: vim-9.1.2148-2.mga10.src.rpm, vim-9.1.2148-1.mga9.src.rpm => vim-9.1.2148-1.mga9.src.rpm
Whiteboard: MGA9TOO => (none)
Version: Cauldron => 9
Status: NEW => ASSIGNED
Status comment: Fixed upstream in 9.2.0078 => (none)

katnatek 2026-03-05 03:32:22 CET

Keywords: (none) => advisory

Comment 3 Herman Viaene 2026-03-05 15:13:07 CET 
MGA9-64 server Plasma Wayland on Compaq H000SB
No installation issues.
Tested by  using the a, d, dd, i, x :w and :q commands. Checked with kwrite, all works OK.

Whiteboard: (none) => MGA9-64-OK
CC: (none) => herman.viaene
Flags: (none) => test_passed_mga9_64+

Comment 4 Thomas Andrews 2026-03-05 16:41:48 CET 
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 5 Mageia Robot 2026-03-06 04:02:58 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2026-0049.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.