This Red Hat security advisory addresses four vulnerabilities in Vim, an improved version of the vi editor, affecting Red Hat Enterprise Linux 9.4 Extended Update Support and related variants. The vulnerabilities include: CVE-2026-25749, arbitrary code execution via 'helpfile' option processing; CVE-2026-28417, arbitrary code execution via OS command injection in the netrw plugin; CVE-2026-28421, denial of service and information disclosure via crafted swap files; and CVE-2026-33412, arbitrary code execution via command injection in the glob() function. These issues are rated with a security impact of Important by Red Hat. Updated Vim packages have been released to fix these vulnerabilities. The advisory references multiple bugzilla entries and provides links to updated RPM packages for various architectures.

Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code on affected systems, cause denial of service, or disclose sensitive information through crafted swap files. The vulnerabilities affect multiple components of Vim, including option processing, plugins, and file handling. No known exploits in the wild have been reported. The impact is rated as high severity by the source data, indicating significant risk if unpatched.

Red Hat has released updated Vim packages for Red Hat Enterprise Linux 9.4 Extended Update Support and related variants that address these vulnerabilities. Users should apply these official updates promptly to remediate the issues. Details and instructions for applying the updates are available at https://access.redhat.com/articles/11258. Since this is not a cloud service, remediation depends on applying the vendor-provided patches. There are no indications that no action is required or that the issues are already mitigated without patching.