Arbitrary code execution via malicious docstrings in Python omni-completion
Summary
Vim is an open source, command line text editor. Prior to 9.2.0699, Vim's Python omni-completion (runtime/autoload/python3complete.vim and the legacy pythoncomplete.vim) executes reconstructed function and class definitions from the current buffer with exec() as part of populating the completion dictionary. When reconstructing that source, each scope's docstring is inserted verbatim between triple quotes with no escaping, so a hostile buffer can break out of the triple-quoted literal and execute attacker-controlled Python during omni-completion. This vulnerability is fixed in 9.2.0699. There is a security flaw in Vim. If you use Vim to open a malicious file written by a hacker, and you use the auto-complete feature while typing, the file can secretly force your computer to run unauthorized commands or malware. This flaw is rated as Important. A vulnerability in Vim's Python omni-completion feature allows for arbitrary code execution. By opening a specially crafted file, a local attacker could execute arbitrary Python code due to improper handling of docstrings during omni-completion, leading to a compromise of the system where Vim is running. Red Hat severity: Important — CVSS 7.8 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). Weakness: CWE-94. Fixed by RHSA-2026:35387 — update the affected packages (`sudo dnf update`). Affected Red Hat products: Red Hat Hardened Images.
- vim-main-9.2.780-1.hum1
Official advisory · high-confidence parse· fetched 5 hours ago·verify at source
- vim-main-9.2.780-1.hum1
- RHSA-2026:35387
Official advisory · high-confidence parse· fetched 5 hours ago·verify at source
Mitigation checklist
- To mitigate this vulnerability, users should avoid opening untrusted Python files or using Python omni-completion on such files. If Python omni-completion is not required, it can be disabled by adding `autocmd FileType python setlocal omnifunc=` to your `.vimrc` file. This will prevent the vulnerable code from being executed. Disabling Python omni-completion will remove the ability to use `Ctrl-X Ctrl-O` for Python code completion. A restart of Vim is required for the changes to take effect.
Official advisory · high-confidence parse· fetched 5 hours ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.