CVE-2026-43961
Public on 2026-05-15
Modified on 2026-05-15
Description
A Vimscript code injection vulnerability exists in `s:NetrwMarkFile()` in the
netrw plugin (`runtime/pack/dist/opt/netrw/autoload/netrw.vim`) when
unmarking files from the global marked-file list. A filename derived
from the buffer's directory listing is interpolated into a string
expression passed to `filter()`, allowing a crafted filename containing
a double quote to break out of the quoted string literal and execute
arbitrary Vimscript, including shell commands via `execute()` and `:!`.
## Description
`s:NetrwMarkFile()` maintains two marked-file lists: a buffer-local list
and a global list. When a file is unmarked, both lists are updated.
The buffer-local list uses the safe pattern:
call filter(s:netrwmarkfilelist_{curbufnr},'v:val != a:fname')
where `a:fname` is referenced as a variable inside the filter expression
and resolved at evaluation time. The global list, however, interpolated
the filename's value directly into the expression string:
let dname = netrw#fs#ComposePath(b:netrw_curdir, a:fname)
...
call filter(s:netrwmarkfilelist, 'v:val != "'.dname.'"')
When `filter()` receives a string argument, the string is parsed as a
Vimscript expression. A filename containing `"` terminates the quoted
literal early, after which the remainder of the filename is evaluated as
Vimscript. Calls such as `execute("!cmd")` inside the injected fragment
run arbitrary Ex commands with the privileges of the user running Vim.
The filename reaches `s:NetrwMarkFile()` through the `mf` mapping, which
calls `s:NetrwGetWord()` to read the filename from the current line of
the netrw directory listing. The injection only triggers on the second
`mf` press for a given entry, because the first press takes the
`add()` branch and only the second takes the vulnerable `filter()`
branch.
netrw plugin (`runtime/pack/dist/opt/netrw/autoload/netrw.vim`) when
unmarking files from the global marked-file list. A filename derived
from the buffer's directory listing is interpolated into a string
expression passed to `filter()`, allowing a crafted filename containing
a double quote to break out of the quoted string literal and execute
arbitrary Vimscript, including shell commands via `execute()` and `:!`.
## Description
`s:NetrwMarkFile()` maintains two marked-file lists: a buffer-local list
and a global list. When a file is unmarked, both lists are updated.
The buffer-local list uses the safe pattern:
call filter(s:netrwmarkfilelist_{curbufnr},'v:val != a:fname')
where `a:fname` is referenced as a variable inside the filter expression
and resolved at evaluation time. The global list, however, interpolated
the filename's value directly into the expression string:
let dname = netrw#fs#ComposePath(b:netrw_curdir, a:fname)
...
call filter(s:netrwmarkfilelist, 'v:val != "'.dname.'"')
When `filter()` receives a string argument, the string is parsed as a
Vimscript expression. A filename containing `"` terminates the quoted
literal early, after which the remainder of the filename is evaluated as
Vimscript. Calls such as `execute("!cmd")` inside the injected fragment
run arbitrary Ex commands with the privileges of the user running Vim.
The filename reaches `s:NetrwMarkFile()` through the `mf` mapping, which
calls `s:NetrwGetWord()` to read the filename from the current line of
the netrw directory listing. The injection only triggers on the second
`mf` press for a given entry, because the first press takes the
`add()` branch and only the second takes the vulnerable `filter()`
branch.
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| Amazon Linux 2 - Core | vim | Pending Fix | ||
| Amazon Linux 2023 | vim | Pending Fix |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| Amazon Linux | CVSSv3 | 4.8 | CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L |