<div class="container">
<h1>Security update for vim</h1>
<table class="table table-striped table-bordered">
<tbody>
<tr>
<th>Announcement ID:</th>
<td>SUSE-SU-2026:1764-1</td>
</tr>
<tr>
<th>Release Date:</th>
<td>2026-05-08T10:39:49Z</td>
</tr>
<tr>
<th>Rating:</th>
<td>moderate</td>
</tr>
<tr>
<th>References:</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1261833">bsc#1261833</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>
Cross-References:
</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2026-39881.html">CVE-2026-39881</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>CVSS scores:</th>
<td>
<ul class="list-group">
<li class="list-group-item">
<span class="cvss-reference">CVE-2026-39881</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">5.3</span>
<span class="cvss-vector">CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2026-39881</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">6.0</span>
<span class="cvss-vector">CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2026-39881</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">5.0</span>
<span class="cvss-vector">CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:H/A:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2026-39881</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">7.8</span>
<span class="cvss-vector">CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H</span>
</li>
</ul>
</td>
</tr>
<tr>
<th>Affected Products:</th>
<td>
<ul class="list-group">
<li class="list-group-item">SUSE Linux Enterprise Server 12 SP5</li>
<li class="list-group-item">SUSE Linux Enterprise Server 12 SP5 LTSS Extended Security</li>
<li class="list-group-item">SUSE Linux Enterprise Server for SAP Applications 12 SP5</li>
</ul>
</td>
</tr>
</tbody>
</table>
<p>An update that solves one vulnerability can now be installed.</p>
<h2>Description:</h2>
<p>This update for vim fixes the following issue:</p>
<p>Security fixes:</p>
<ul>
<li>CVE-2026-39881: command injection in NetBeans interface can lead to arbitrary file reads and writes (bsc#1261833).</li>
</ul>
<p>Other fixes:</p>
<ul>
<li>Update to 9.2.0398.</li>
<li>9.2.0398: MS-Windows: missing strptime() support</li>
<li>9.2.0397: tabpanel: double-click opens a new tab</li>
<li>9.2.0396: tests: Test_error_callback_terminal is flaky on macOS</li>
<li>9.2.0395: tests: Test_backupskip() may read from $HOME</li>
<li>9.2.0394: xxd: offsets greater than LONG_MAX print as negative</li>
<li>9.2.0393: MS-Windows: link error with XPM support on UCRT64</li>
<li>9.2.0392: tests: Some tests are flaky</li>
<li>9.2.0391: tests: Comment in test_vim9_cmd breaks syntax highlighting</li>
<li>9.2.0390: filetype: some Beancount files are not recognized</li>
<li>9.2.0389: DECRQM still leaves stray "pp" on Apple Terminal.app</li>
<li>9.2.0388: strange indent in update_topline()</li>
<li>9.2.0387: DECRQM request may leave stray chars in terminal</li>
<li>9.2.0386: No scroll/scrollbar support in the tabpanel</li>
<li>9.2.0385: Integer overflow with "ze" and large 'sidescrolloff'</li>
<li>9.2.0384: stale Insstart after <Cmd> cursor move breaks undo</li>
<li>9.2.0383: [security]: runtime(netrw): shell-injection via sftp: and file: URLs</li>
<li>9.2.0382: Wayland: focus-stealing is non-working</li>
<li>9.2.0381: Vim9: Missing check_secure() in exec_instructions()</li>
<li>9.2.0380: completion: a few issues in completion code</li>
<li>9.2.0379: gui.color_approx is never used</li>
<li>9.2.0378: Using int as bool type in win_T struct</li>
<li>9.2.0377: Using int as bool type in gui_T struct</li>
<li>9.2.0376: Vim9: elseif condition compiled in dead branch</li>
<li>9.2.0375: prop_find() does not find a virt text in starting line</li>
<li>9.2.0374: c_CTRL-{G,T} does not handle offset</li>
<li>9.2.0373: Ctrl-R mapping not triggered during completion</li>
<li>9.2.0372: pum: rendering issues with multibyte text and opacity</li>
<li>9.2.0371: filetype: ghostty config files are not recognized</li>
<li>9.2.0370: duplicate code with literal string_T assignment</li>
<li>9.2.0369: multiple definitions of STRING_INIT macro</li>
<li>9.2.0368: too many strlen() calls when adding strings to dicts</li>
<li>9.2.0367: runtime(netrw): ~ note expanded on MS Windows</li>
<li>9.2.0366: pum: flicker when updating pum in place</li>
<li>9.2.0365: using int as bool</li>
<li>9.2.0364: tests: test_smoothscroll_textoff_showbreak() fails</li>
<li>9.2.0363: Vim9: variable shadowed by script-local function</li>
<li>9.2.0362: division by zero with smoothscroll and small windows</li>
<li>9.2.0361: tests: no tests for ch_listen() with IPs</li>
<li>9.2.0360: Cannot handle mouse-clicks in the tabpanel</li>
<li>9.2.0359: wrong VertSplitNC highlighting on winbar</li>
<li>9.2.0358: runtime(vimball): still path traversal attacks possible</li>
<li>9.2.0357: [security]: command injection via backticks in tag files</li>
<li>9.2.0356: Cannot apply 'scrolloff' context lines at end of file</li>
<li>9.2.0355: runtime(tar): missing path traversal checks in tar#Extract()</li>
<li>9.2.0354: filetype: not all Bitbake include files are recognized</li>
<li>9.2.0353: Missing out-of-memory check in register.c</li>
<li>9.2.0352: 'winhighlight' of left window blends into right window</li>
<li>9.2.0351: repeat_string() can be improved</li>
<li>9.2.0350: Enabling modelines poses a risk</li>
<li>9.2.0349: cannot style non-current window separator</li>
<li>9.2.0348: potential buffer underrun when setting statusline like option</li>
<li>9.2.0347: Vim9: script-local variable not found</li>
<li>9.2.0346: Wrong cursor position when entering command line window</li>
<li>9.2.0345: Wrong autoformatting with 'autocomplete'</li>
<li>9.2.0344: channel: ch_listen() can bind to network interface</li>
<li>9.2.0343: tests: test_clientserver may fail on slower systems</li>
<li>9.2.0342: tests: test_excmd.vim leaves swapfiles behind</li>
<li>9.2.0341: some functions can be run from the sandbox</li>
<li>9.2.0340: pum_redraw() may cause flicker</li>
<li>9.2.0339: regexp: nfa_regmatch() allocates and frees too often</li>
<li>9.2.0338: Cannot handle mouseclicks in the tabline</li>
<li>9.2.0337: list indexing broken on big-endian 32-bit platforms</li>
<li>9.2.0336: libvterm: no terminal reflow support</li>
<li>9.2.0335: json_encode() uses recursive algorithm</li>
<li>9.2.0334: GTK: window geometry shrinks with with client-side decorations</li>
<li>9.2.0333: filetype: PklProject files are not recognized</li>
<li>9.2.0332: popup: still opacity rendering issues</li>
<li>9.2.0331: spellfile: stack buffer overflows in spell file generation</li>
<li>9.2.0330: tests: some patterns in tar and zip plugin tests not strict enough</li>
<li>9.2.0329: tests: test_indent.vim leaves swapfiles behind</li>
<li>9.2.0328: Cannot handle mouseclicks in the statusline</li>
<li>9.2.0327: filetype: uv scripts are not detected</li>
<li>9.2.0326: runtime(tar): but with dotted path</li>
<li>9.2.0325: runtime(tar): bug in zstd handling</li>
<li>9.2.0324: 0x9b byte not unescaped in <Cmd> mapping</li>
<li>9.2.0323: filetype: buf.lock files are not recognized</li>
<li>9.2.0322: tests: test_popupwin fails</li>
<li>9.2.0321: MS-Windows: No OpenType font support</li>
<li>9.2.0320: several bugs with text properties</li>
<li>9.2.0319: popup: rendering issues with partially transparent popups</li>
<li>9.2.0318: cannot configure opacity for popup menu</li>
<li>9.2.0317: listener functions do not check secure flag</li>
<li>9.2.0316: [security]: command injection in netbeans interface via defineAnnoType</li>
<li>9.2.0315: missing bound-checks</li>
<li>9.2.0314: channel: can bind to all network interfaces</li>
<li>9.2.0313: Callback channel not registered in GUI</li>
<li>9.2.0312: C-type names are marked as translatable</li>
<li>9.2.0311: redrawing logic with text properties can be improved</li>
<li>9.2.0310: unnecessary work in vim_strchr() and find_term_bykeys()</li>
<li>9.2.0309: Missing out-of-memory check to may_get_cmd_block()</li>
<li>9.2.0308: Error message E1547 is wrong</li>
<li>9.2.0307: more mismatches between return types and documentation</li>
<li>9.2.0306: runtime(tar): some issues with lz4 support</li>
<li>9.2.0305: mismatch between return types and documentation</li>
<li>9.2.0304: tests: test for 9.2.0285 doesn't always fail without the fix</li>
<li>9.2.0303: tests: zip plugin tests don't check for warning message properly</li>
<li>9.2.0302: runtime(netrw): RFC2396 decoding double escaping spaces</li>
<li>9.2.0301: Vim9: void function return value inconsistent</li>
<li>9.2.0300: The vimball plugin needs some love</li>
<li>9.2.0299: runtime(zip): may write using absolute paths</li>
<li>9.2.0298: Some internal variables are not modified</li>
<li>9.2.0297: libvterm: can improve CSI overflow code</li>
<li>9.2.0296: Redundant and incorrect integer pointer casts in drawline.c</li>
<li>9.2.0295: 'showcmd' shows wrong Visual block size with 'linebreak'</li>
<li>9.2.0294: if_lua: lua interface does not work with lua 5.5</li>
<li>9.2.0293: :packadd may lead to heap-buffer-overflow</li>
<li>9.2.0292: E340 internal error when using method call on void value</li>
<li>9.2.0291: too many strlen() calls</li>
<li>9.2.0290: Amiga: no support for AmigaOS 3.x</li>
<li>9.2.0289: 'linebreak' may lead to wrong Visual block highlighting</li>
<li>9.2.0288: libvterm: signed integer overflow parsing long CSI args</li>
<li>9.2.0287: filetype: not all ObjectScript routines are recognized</li>
<li>9.2.0286: still some unnecessary (int) casts in alloc()</li>
<li>9.2.0285: :syn sync grouphere may go beyond end of line</li>
<li>9.2.0284: tabpanel: crash when tabpanel expression returns variable line count</li>
<li>9.2.0283: unnecessary (int) casts before alloc() calls</li>
<li>9.2.0282: tests: Test_viminfo_len_overflow() fails</li>
<li>9.2.0281: tests: Test_netrw_FileUrlEdit.. fails on Windows</li>
</ul>
<h2>Patch Instructions:</h2>
<p>
To install this SUSE update use the SUSE recommended
installation methods like YaST online_update or "zypper patch".<br/>
Alternatively you can run the command listed for your product:
</p>
<ul class="list-group">
<li class="list-group-item">
SUSE Linux Enterprise Server 12 SP5 LTSS Extended Security
<br/>
<code>zypper in -t patch SUSE-SLE-SERVER-12-SP5-LTSS-EXTENDED-SECURITY-2026-1764=1</code>
</li>
</ul>
<h2>Package List:</h2>
<ul>
<li>
SUSE Linux Enterprise Server 12 SP5 LTSS Extended Security (x86_64)
<ul>
<li>vim-debuginfo-9.2.0398-17.65.1</li>
<li>vim-9.2.0398-17.65.1</li>
<li>gvim-9.2.0398-17.65.1</li>
<li>gvim-debuginfo-9.2.0398-17.65.1</li>
<li>vim-debugsource-9.2.0398-17.65.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise Server 12 SP5 LTSS Extended Security (noarch)
<ul>
<li>vim-data-common-9.2.0398-17.65.1</li>
<li>vim-data-9.2.0398-17.65.1</li>
</ul>
</li>
</ul>
<h2>References:</h2>
<ul>
<li>
<a href="https://www.suse.com/security/cve/CVE-2026-39881.html">https://www.suse.com/security/cve/CVE-2026-39881.html</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1261833">https://bugzilla.suse.com/show_bug.cgi?id=1261833</a>
</li>
</ul>
</div>