{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/modeline/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.2,"id":"CVE-2026-34982"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["vim","modeline","sandbox-bypass","code-execution","cve-2026-34982"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eVim, a widely used open-source command-line text editor, is susceptible to a critical vulnerability (CVE-2026-34982) affecting versions prior to 9.2.0276. This flaw allows a malicious actor to execute arbitrary operating system commands by crafting a specific file that exploits a bypass in the modeline sandbox. The vulnerability arises from the \u003ccode\u003ecomplete\u003c/code\u003e, \u003ccode\u003eguitabtooltip\u003c/code\u003e, and \u003ccode\u003eprintheader\u003c/code\u003e options lacking the \u003ccode\u003eP_MLE\u003c/code\u003e flag, and the \u003ccode\u003emapset()\u003c/code\u003e function not having a \u003ccode\u003echeck_secure()\u003c/code\u003e call, which permits exploitation from sandboxed expressions. Successful exploitation requires a user to open a specially crafted file. This poses a significant risk, as attackers could leverage this vulnerability to gain unauthorized access to systems, escalate privileges, or perform other malicious activities. The vulnerability was patched in commit 9.2.0276.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker crafts a malicious file containing a modeline with embedded OS commands.\u003c/li\u003e\n\u003cli\u003eThe crafted file is distributed to the target via social engineering or other means.\u003c/li\u003e\n\u003cli\u003eVictim opens the malicious file using a vulnerable version of Vim (prior to 9.2.0276).\u003c/li\u003e\n\u003cli\u003eVim parses the modeline in the file.\u003c/li\u003e\n\u003cli\u003eDue to the missing \u003ccode\u003eP_MLE\u003c/code\u003e flag in \u003ccode\u003ecomplete\u003c/code\u003e, \u003ccode\u003eguitabtooltip\u003c/code\u003e, or \u003ccode\u003eprintheader\u003c/code\u003e options, the modeline is executed without proper sandboxing.\u003c/li\u003e\n\u003cli\u003eAlternatively, the \u003ccode\u003emapset()\u003c/code\u003e function, lacking a \u003ccode\u003echeck_secure()\u003c/code\u003e call, is abused from the sandboxed expression in the modeline.\u003c/li\u003e\n\u003cli\u003eArbitrary OS commands embedded in the modeline are executed with the privileges of the user running Vim.\u003c/li\u003e\n\u003cli\u003eAttacker achieves code execution, potentially leading to system compromise, data exfiltration, or further malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-34982 can lead to arbitrary code execution on the affected system. The severity is compounded by the widespread use of Vim in various environments, including development, system administration, and general text editing. The impact could range from data breaches and malware installation to complete system compromise, depending on the commands executed and the privileges of the user opening the malicious file. While the exact number of potential victims is unknown, the ubiquity of Vim makes this vulnerability a significant concern for any organization using unpatched versions.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Vim to version 9.2.0276 or later to patch CVE-2026-34982.\u003c/li\u003e\n\u003cli\u003eImplement the provided Sigma rule to detect the execution of potentially malicious Vim commands based on process execution patterns.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for suspicious outbound connections originating from Vim processes after the execution of potentially malicious files, using network connection logs.\u003c/li\u003e\n\u003cli\u003eUse endpoint detection and response (EDR) solutions to identify and block suspicious processes spawned by Vim, leveraging process creation logs.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-06T16:16:38Z","date_published":"2026-04-06T16:16:38Z","id":"/briefs/2026-04-vim-modeline-bypass/","summary":"A critical vulnerability in Vim versions prior to 9.2.0276 allows arbitrary OS command execution via a crafted file that bypasses the modeline sandbox due to missing security checks, potentially leading to code execution.","title":"Vim Modeline Sandbox Bypass Vulnerability (CVE-2026-34982)","url":"https://feed.craftedsignal.io/briefs/2026-04-vim-modeline-bypass/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["rce","vim","emacs","git","modeline"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA researcher at Calif discovered vulnerabilities in Vim and GNU Emacs using the Claude AI assistant. The Vim vulnerability (versions 9.2.0271 and earlier) results from missing security checks in modeline handling, allowing arbitrary code execution when a specially crafted file is opened. A patch is available in version 9.2.0272. The GNU Emacs vulnerability stems from its integration with Git\u0026rsquo;s version control (vc-git) and remains unpatched. Opening a file can trigger Git operations via \u003ccode\u003evc-refresh-state\u003c/code\u003e, leading to the execution of arbitrary commands defined in a user-controlled \u003ccode\u003ecore.fsmonitor\u003c/code\u003e program within a hidden \u003ccode\u003e.git/config\u003c/code\u003e file. This affects users who open files from untrusted sources.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker creates a malicious archive containing a text file and a hidden \u003ccode\u003e.git/\u003c/code\u003e directory.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003e.git/\u003c/code\u003e directory includes a \u003ccode\u003econfig\u003c/code\u003e file.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003econfig\u003c/code\u003e file contains a \u003ccode\u003ecore.fsmonitor\u003c/code\u003e entry pointing to a malicious executable.\u003c/li\u003e\n\u003cli\u003eThe attacker distributes the archive (e.g., via email or shared drive).\u003c/li\u003e\n\u003cli\u003eVictim extracts the archive on their system.\u003c/li\u003e\n\u003cli\u003eThe victim opens the seemingly benign text file within GNU Emacs.\u003c/li\u003e\n\u003cli\u003eGNU Emacs\u0026rsquo; \u003ccode\u003evc-git\u003c/code\u003e integration triggers \u003ccode\u003evc-refresh-state\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003evc-refresh-state\u003c/code\u003e causes Git to read the attacker-controlled \u003ccode\u003e.git/config\u003c/code\u003e file and execute the malicious \u003ccode\u003ecore.fsmonitor\u003c/code\u003e program, achieving arbitrary code execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these vulnerabilities leads to arbitrary code execution with the privileges of the user running Vim or Emacs. For Vim, all versions 9.2.0271 and earlier are affected until patched. While the Emacs vulnerability remains unpatched, it poses a significant risk to users who routinely open files from unknown or untrusted sources, potentially leading to system compromise and data breaches. The number of potential victims is substantial given the widespread use of these editors by developers and system administrators.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Vim to version 9.2.0272 or later to patch the RCE vulnerability related to modeline handling (refer to the Vim flaw and fix section).\u003c/li\u003e\n\u003cli\u003eExercise extreme caution when opening files from unknown sources or downloaded online when using GNU Emacs due to the unpatched Git integration vulnerability (refer to the GNU Emacs points to Git section).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect execution of git with unusual core.fsmonitor configuration to your SIEM and tune for your environment.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-31T21:45:14Z","date_published":"2026-03-31T21:45:14Z","id":"/briefs/2026-03-vim-emacs-rce/","summary":"Vulnerabilities in Vim (\u003c=9.2.0271) and GNU Emacs allow remote code execution by opening a specially crafted file, leveraging flaws in modeline handling and Git integration, respectively.","title":"Vim and Emacs Remote Code Execution Vulnerabilities Triggered by File Opening","url":"https://feed.craftedsignal.io/briefs/2026-03-vim-emacs-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Modeline","version":"https://jsonfeed.org/version/1.1"}