Duty Analyst: Joseph McCarthy

CVE-2026-34714

Published: 2026-03-30 19:16:27 | Last modified: 2026-06-30 03:18:57

CRITICAL CVSS 9.2
No EPSS data

Description

Vim before 9.2.0272 allows code execution that happens immediately upon opening a crafted file in the default configuration, because %{expr} injection occurs with tabpanel lacking P_MLE.

CVSS details

Severity
critical
Score
9.2
Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L

EPSS

This CVE is not currently listed in the EPSS dataset.

Show JSON
{
    "cve": {
        "id": "CVE-2026-34714",
        "cveTags": [],
        "metrics": {
            "ssvcV203": [
                {
                    "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
                    "ssvcData": {
                        "id": "CVE-2026-34714",
                        "role": "CISA Coordinator",
                        "options": [
                            {
                                "exploitation": "none"
                            },
                            {
                                "automatable": "no"
                            },
                            {
                                "technicalImpact": "total"
                            }
                        ],
                        "version": "2.0.3",
                        "timestamp": "2026-03-31T03:55:42.420298Z"
                    }
                }
            ],
            "cvssMetricV31": [
                {
                    "type": "Secondary",
                    "source": "cve@mitre.org",
                    "cvssData": {
                        "scope": "CHANGED",
                        "version": "3.1",
                        "baseScore": 9.2,
                        "attackVector": "LOCAL",
                        "baseSeverity": "CRITICAL",
                        "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L",
                        "integrityImpact": "HIGH",
                        "userInteraction": "NONE",
                        "attackComplexity": "LOW",
                        "availabilityImpact": "LOW",
                        "privilegesRequired": "NONE",
                        "confidentialityImpact": "HIGH"
                    },
                    "impactScore": 6,
                    "exploitabilityScore": 2.5
                },
                {
                    "type": "Primary",
                    "source": "nvd@nist.gov",
                    "cvssData": {
                        "scope": "CHANGED",
                        "version": "3.1",
                        "baseScore": 8.6,
                        "attackVector": "LOCAL",
                        "baseSeverity": "HIGH",
                        "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
                        "integrityImpact": "HIGH",
                        "userInteraction": "REQUIRED",
                        "attackComplexity": "LOW",
                        "availabilityImpact": "HIGH",
                        "privilegesRequired": "NONE",
                        "confidentialityImpact": "HIGH"
                    },
                    "impactScore": 6,
                    "exploitabilityScore": 1.8
                },
                {
                    "type": "Secondary",
                    "source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
                    "cvssData": {
                        "scope": "CHANGED",
                        "version": "3.1",
                        "baseScore": 8.6,
                        "attackVector": "LOCAL",
                        "baseSeverity": "HIGH",
                        "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
                        "integrityImpact": "HIGH",
                        "userInteraction": "REQUIRED",
                        "attackComplexity": "LOW",
                        "availabilityImpact": "HIGH",
                        "privilegesRequired": "NONE",
                        "confidentialityImpact": "HIGH"
                    },
                    "impactScore": 6,
                    "exploitabilityScore": 1.8
                }
            ]
        },
        "affected": [
            {
                "source": "cve@mitre.org",
                "affectedData": [
                    {
                        "vendor": "Vim",
                        "product": "Vim",
                        "versions": [
                            {
                                "status": "affected",
                                "version": "0",
                                "lessThan": "9.2.0272",
                                "versionType": "custom"
                            }
                        ],
                        "defaultStatus": "unaffected"
                    }
                ]
            },
            {
                "source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
                "affectedData": [
                    {
                        "cpes": [
                            "cpe:/o:redhat:enterprise_linux:10"
                        ],
                        "vendor": "Red Hat",
                        "product": "Red Hat Enterprise Linux 10",
                        "defaultStatus": "unaffected"
                    },
                    {
                        "cpes": [
                            "cpe:/o:redhat:enterprise_linux:6"
                        ],
                        "vendor": "Red Hat",
                        "product": "Red Hat Enterprise Linux 6",
                        "defaultStatus": "unaffected"
                    },
                    {
                        "cpes": [
                            "cpe:/o:redhat:enterprise_linux:7"
                        ],
                        "vendor": "Red Hat",
                        "product": "Red Hat Enterprise Linux 7",
                        "defaultStatus": "unaffected"
                    },
                    {
                        "cpes": [
                            "cpe:/o:redhat:enterprise_linux:8"
                        ],
                        "vendor": "Red Hat",
                        "product": "Red Hat Enterprise Linux 8",
                        "defaultStatus": "unaffected"
                    },
                    {
                        "cpes": [
                            "cpe:/o:redhat:enterprise_linux:9"
                        ],
                        "vendor": "Red Hat",
                        "product": "Red Hat Enterprise Linux 9",
                        "defaultStatus": "unaffected"
                    },
                    {
                        "cpes": [
                            "cpe:/a:redhat:openshift:4"
                        ],
                        "vendor": "Red Hat",
                        "product": "Red Hat OpenShift Container Platform 4",
                        "defaultStatus": "unaffected"
                    }
                ]
            }
        ],
        "published": "2026-03-30T19:16:26.853",
        "references": [
            {
                "url": "https://github.com/vim/vim/commit/664701eb7576edb7c7c7d9f2d600815ec1f43459",
                "tags": [
                    "Patch"
                ],
                "source": "cve@mitre.org"
            },
            {
                "url": "https://github.com/vim/vim/releases/tag/v9.2.0272",
                "tags": [
                    "Release Notes"
                ],
                "source": "cve@mitre.org"
            },
            {
                "url": "https://github.com/vim/vim/security/advisories/GHSA-2gmj-rpqf-pxvh",
                "tags": [
                    "Vendor Advisory"
                ],
                "source": "cve@mitre.org"
            },
            {
                "url": "https://www.openwall.com/lists/oss-security/2026/03/30/3",
                "tags": [
                    "Mailing List",
                    "Third Party Advisory"
                ],
                "source": "cve@mitre.org"
            },
            {
                "url": "http://www.openwall.com/lists/oss-security/2026/04/02/4",
                "tags": [
                    "Issue Tracking",
                    "Mailing List"
                ],
                "source": "af854a3a-2127-422b-91ae-364da2661108"
            },
            {
                "url": "http://www.openwall.com/lists/oss-security/2026/04/02/5",
                "tags": [
                    "Mailing List"
                ],
                "source": "af854a3a-2127-422b-91ae-364da2661108"
            },
            {
                "url": "http://www.openwall.com/lists/oss-security/2026/04/03/6",
                "tags": [
                    "Mailing List"
                ],
                "source": "af854a3a-2127-422b-91ae-364da2661108"
            },
            {
                "url": "https://access.redhat.com/security/cve/CVE-2026-34714",
                "source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c"
            },
            {
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2453139",
                "source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c"
            },
            {
                "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-34714.json",
                "source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c"
            }
        ],
        "vulnStatus": "Modified",
        "weaknesses": [
            {
                "type": "Primary",
                "source": "cve@mitre.org",
                "description": [
                    {
                        "lang": "en",
                        "value": "CWE-78"
                    }
                ]
            },
            {
                "type": "Secondary",
                "source": "0b0ca135-0b70-47e7-9f44-1890c2a1c46c",
                "description": [
                    {
                        "lang": "en",
                        "value": "CWE-917"
                    }
                ]
            }
        ],
        "descriptions": [
            {
                "lang": "en",
                "value": "Vim before 9.2.0272 allows code execution that happens immediately upon opening a crafted file in the default configuration, because %{expr} injection occurs with tabpanel lacking P_MLE."
            },
            {
                "lang": "es",
                "value": "Vim anterior a la versi\u00f3n 9.2.0272 permite la ejecuci\u00f3n de c\u00f3digo que ocurre inmediatamente al abrir un archivo especialmente dise\u00f1ado en la configuraci\u00f3n predeterminada, porque se produce una inyecci\u00f3n de %{expr} con tabpanel que carece de P_MLE."
            }
        ],
        "lastModified": "2026-06-30T03:18:57.017",
        "configurations": [
            {
                "nodes": [
                    {
                        "negate": false,
                        "cpeMatch": [
                            {
                                "criteria": "cpe:2.3:a:vim:vim:*:*:*:*:*:*:*:*",
                                "vulnerable": true,
                                "matchCriteriaId": "66B6F7DD-9D84-4CA4-A789-40982BED72F8",
                                "versionEndExcluding": "9.2.0272",
                                "versionStartIncluding": "9.1.1390"
                            }
                        ],
                        "operator": "OR"
                    }
                ]
            }
        ],
        "sourceIdentifier": "cve@mitre.org"
    }
}