{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/emacs/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["rce","vim","emacs","git","modeline"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA researcher at Calif discovered vulnerabilities in Vim and GNU Emacs using the Claude AI assistant. The Vim vulnerability (versions 9.2.0271 and earlier) results from missing security checks in modeline handling, allowing arbitrary code execution when a specially crafted file is opened. A patch is available in version 9.2.0272. The GNU Emacs vulnerability stems from its integration with Git\u0026rsquo;s version control (vc-git) and remains unpatched. Opening a file can trigger Git operations via \u003ccode\u003evc-refresh-state\u003c/code\u003e, leading to the execution of arbitrary commands defined in a user-controlled \u003ccode\u003ecore.fsmonitor\u003c/code\u003e program within a hidden \u003ccode\u003e.git/config\u003c/code\u003e file. This affects users who open files from untrusted sources.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker creates a malicious archive containing a text file and a hidden \u003ccode\u003e.git/\u003c/code\u003e directory.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003e.git/\u003c/code\u003e directory includes a \u003ccode\u003econfig\u003c/code\u003e file.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003econfig\u003c/code\u003e file contains a \u003ccode\u003ecore.fsmonitor\u003c/code\u003e entry pointing to a malicious executable.\u003c/li\u003e\n\u003cli\u003eThe attacker distributes the archive (e.g., via email or shared drive).\u003c/li\u003e\n\u003cli\u003eVictim extracts the archive on their system.\u003c/li\u003e\n\u003cli\u003eThe victim opens the seemingly benign text file within GNU Emacs.\u003c/li\u003e\n\u003cli\u003eGNU Emacs\u0026rsquo; \u003ccode\u003evc-git\u003c/code\u003e integration triggers \u003ccode\u003evc-refresh-state\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003evc-refresh-state\u003c/code\u003e causes Git to read the attacker-controlled \u003ccode\u003e.git/config\u003c/code\u003e file and execute the malicious \u003ccode\u003ecore.fsmonitor\u003c/code\u003e program, achieving arbitrary code execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these vulnerabilities leads to arbitrary code execution with the privileges of the user running Vim or Emacs. For Vim, all versions 9.2.0271 and earlier are affected until patched. While the Emacs vulnerability remains unpatched, it poses a significant risk to users who routinely open files from unknown or untrusted sources, potentially leading to system compromise and data breaches. The number of potential victims is substantial given the widespread use of these editors by developers and system administrators.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Vim to version 9.2.0272 or later to patch the RCE vulnerability related to modeline handling (refer to the Vim flaw and fix section).\u003c/li\u003e\n\u003cli\u003eExercise extreme caution when opening files from unknown sources or downloaded online when using GNU Emacs due to the unpatched Git integration vulnerability (refer to the GNU Emacs points to Git section).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect execution of git with unusual core.fsmonitor configuration to your SIEM and tune for your environment.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-31T21:45:14Z","date_published":"2026-03-31T21:45:14Z","id":"/briefs/2026-03-vim-emacs-rce/","summary":"Vulnerabilities in Vim (\u003c=9.2.0271) and GNU Emacs allow remote code execution by opening a specially crafted file, leveraging flaws in modeline handling and Git integration, respectively.","title":"Vim and Emacs Remote Code Execution Vulnerabilities Triggered by File Opening","url":"https://feed.craftedsignal.io/briefs/2026-03-vim-emacs-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Emacs","version":"https://jsonfeed.org/version/1.1"}