Bug 35490 - vim new security issues CVE-2026-45130, CVE-2026-43961, CVE-2026-46483
Summary: vim new security issues CVE-2026-45130, CVE-2026-43961, CVE-2026-46483
Status: ASSIGNED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard:
Keywords: advisory
Depends on: 35332
Blocks:
  Show dependency treegraph
 
Reported: 2026-05-07 22:06 CEST by Nicolas Salguero
Modified: 2026-05-21 21:14 CEST (History)
1 user (show)

See Also:
Source RPM: vim-9.2.437-1.mga9.src.rpm
CVE: CVE-2026-45130, CVE-2026-43961, CVE-2026-46483
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Nicolas Salguero 2026-05-07 22:07:09 CEST

Source RPM: (none) => vim-9.2.437-1.mga10.src.rpm, vim-9.2.437-1.mga9.src.rpm
Whiteboard: (none) => MGA9TOO
Flags: (none) => affects_mga9+

Nicolas Salguero 2026-05-09 11:48:04 CEST

CVE: (none) => CVE-2026-45130
Status comment: (none) => Fixed upstram in 9.2.450
Summary: vim new security issue => vim new security issue CVE-2026-45130
Depends on: (none) => 35332

Comment 1 Lewis Smith 2026-05-12 20:29:16 CEST 
Je le vous redonne parce-que c'est vous qui met à jour vim en Cauldron.

Assignee: bugsquad => nicolas.salguero

Comment 2 Nicolas Salguero 2026-05-15 10:09:17 CEST 
References:
https://www.openwall.com/lists/oss-security/2026/05/14/6
https://github.com/vim/vim/security/advisories/GHSA-2fpv-9ff7-xg5w
https://www.openwall.com/lists/oss-security/2026/05/14/7
https://github.com/vim/vim/security/advisories/GHSA-66hr-7p6x-x5j3

CVE: CVE-2026-45130 => CVE-2026-45130, CVE-2026-43961, CVE-2026-46483
Status comment: Fixed upstram in 9.2.450 => Fixed upstram in 9.2.480
Summary: vim new security issue CVE-2026-45130 => vim new security issues CVE-2026-45130, CVE-2026-43961, CVE-2026-46483

Comment 4 Nicolas Salguero 2026-05-18 11:10:32 CEST 
For Cauldron, I asked for a freeze move.

Source RPM: vim-9.2.437-1.mga10.src.rpm, vim-9.2.437-1.mga9.src.rpm => vim-9.2.437-1.mga9.src.rpm
Version: Cauldron => 9
Whiteboard: MGA9TOO => (none)
Flags: affects_mga9+ => (none)

Comment 5 Nicolas Salguero 2026-05-18 14:31:23 CEST 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

Heap Buffer Overflow in spell file loading affects Vim < 9.2.0450. (CVE-2026-45130)

Vimscript Code Injection in netrw NetrwMarkFile() via crafted filename affects Vim < 9.2.0480. (CVE-2026-43961)

Command Injection in tar.vim affects Vim < 9.2.0479. (CVE-2026-46483)

Vimscript Code Injection in netrw NetrwBookHistSave() via crafted directory name affects Vim < 9.2.0495.

Vimscript Code Injection in cucumber filetype plugin via crafted step-definition regex affects Vim < 9.2.0496.

References:
https://www.openwall.com/lists/oss-security/2026/05/07/9
https://github.com/vim/vim/security/advisories/GHSA-q4jv-r9gj-6cwv
https://www.openwall.com/lists/oss-security/2026/05/14/6
https://github.com/vim/vim/security/advisories/GHSA-2fpv-9ff7-xg5w
https://www.openwall.com/lists/oss-security/2026/05/14/7
https://github.com/vim/vim/security/advisories/GHSA-66hr-7p6x-x5j3
https://www.openwall.com/lists/oss-security/2026/05/17/3
https://github.com/vim/vim/security/advisories/GHSA-crm5-rh6j-2c7c
https://www.openwall.com/lists/oss-security/2026/05/17/4
https://github.com/vim/vim/security/advisories/GHSA-4473-94jm-w5x9
========================

Updated packages in core/updates_testing:
========================
vim-X11-9.2.498-1.mga9
vim-common-9.2.498-1.mga9
vim-enhanced-9.2.498-1.mga9
vim-minimal-9.2.498-1.mga9

from SRPM:
vim-9.2.498-1.mga9.src.rpm

Status comment: Fixed upstram in 9.2.496 => (none)
Assignee: nicolas.salguero => qa-bugs
Status: NEW => ASSIGNED

katnatek 2026-05-19 03:38:28 CEST

Keywords: (none) => advisory

Comment 6 Brian Rockwell 2026-05-21 21:14:00 CEST 
mga9-64, 

vim file, edited it saved it.

CC: (none) => brtians1
Note You need to log in before you can comment on or make changes to this bug.