This security advisory from Red Hat addresses three vulnerabilities in Vim: CVE-2026-28417 allows arbitrary code execution via OS command injection in the netrw plugin; CVE-2026-28421 enables denial of service and information disclosure through crafted swap files; and CVE-2026-33412 permits arbitrary code execution via command injection in the glob() function. These issues affect multiple architectures and versions of Red Hat Enterprise Linux 8. The advisory provides updated Vim packages to fix these vulnerabilities. The vulnerabilities are categorized under CWE-78 (OS Command Injection) and CWE-120 (Buffer Copy without Checking Size of Input). No CVSS scores are provided, but the impact is significant due to the possibility of arbitrary code execution and information disclosure.

Successful exploitation of CVE-2026-28417 and CVE-2026-33412 could allow an attacker to execute arbitrary code on affected systems, potentially leading to full system compromise. CVE-2026-28421 could cause denial of service and leak sensitive information via crafted swap files. These vulnerabilities affect core text editing functionality in Vim, which is widely used in Red Hat Enterprise Linux 8 environments. No known exploits in the wild have been reported, but the potential impact is high given the nature of the vulnerabilities.

Red Hat has released updated Vim packages that address these vulnerabilities. Users and administrators should apply the security update as soon as possible by following the instructions in the Red Hat advisory RHSA-2026:6915 and the referenced article https://access.redhat.com/articles/11258. Applying these official patches is the recommended and effective mitigation. No additional vendor-recommended mitigations or workarounds are indicated in the advisory.