This security advisory from Red Hat addresses three vulnerabilities in Vim (Vi IMproved) editor versions included with Red Hat Enterprise Linux 9. The first vulnerability (CVE-2026-28417) involves arbitrary code execution through OS command injection in the netrw plugin. The second (CVE-2026-28421) allows denial of service and information disclosure via specially crafted swap files. The third (CVE-2026-33412) permits arbitrary code execution through command injection in the glob() function. These issues are rated as important by Red Hat Product Security and affect multiple architectures. The advisory includes updated Vim packages that fix these vulnerabilities. Detailed CVSS scores and additional technical details are available on the referenced CVE pages. No exploits are currently known to be active in the wild.

Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code on affected systems, cause denial of service, or disclose sensitive information. The arbitrary code execution vulnerabilities (CVE-2026-28417 and CVE-2026-33412) pose a high risk as they could lead to full system compromise. The denial of service and information disclosure vulnerability (CVE-2026-28421) could disrupt service availability and leak information. These vulnerabilities affect multiple architectures and versions of Red Hat Enterprise Linux 9.

Red Hat has released updated Vim packages that address these vulnerabilities. Users of affected Red Hat Enterprise Linux 9 versions should apply the security updates as detailed in Red Hat advisory RHSA-2026:8259 and the referenced article https://access.redhat.com/articles/11258. Applying these official patches is the recommended and effective mitigation. No additional vendor guidance indicates that other mitigations are necessary.