Red Hat Product Errata RHSA-2026:6617 - Security Advisory
Issued:
2026-04-06
Updated:
2026-04-06

RHSA-2026:6617 - Security Advisory

Synopsis

Important: vim security update

Type/Severity

Security Advisory: Important

Red Hat Lightspeed patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for vim is now available for Red Hat Enterprise Linux 7 Extended Lifecycle Support.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Vim (Vi IMproved) is an updated and improved version of the vi editor.

Security Fix(es):

  • vim: Vim: Arbitrary code execution via 'helpfile' option processing (CVE-2026-25749)
  • vim: Vim: Arbitrary code execution via OS command injection in the netrw plugin (CVE-2026-28417)
  • vim: Vim: Denial of service and information disclosure via crafted swap file (CVE-2026-28421)
  • vim: Vim: Arbitrary code execution via command injection in glob() function (CVE-2026-33412)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

  • Red Hat Enterprise Linux Server - Extended Life Cycle Support 7 x86_64
  • Red Hat Enterprise Linux Server - Extended Life Cycle Support (for IBM z Systems) 7 s390x
  • Red Hat Enterprise Linux Server - Extended Life Cycle Support for IBM Power, big endian 7 ppc64
  • Red Hat Enterprise Linux Server - Extended Life Cycle Support for IBM Power, little endian 7 ppc64le

Fixes

  • BZ - 2437843 - CVE-2026-25749 vim: Vim: Arbitrary code execution via 'helpfile' option processing
  • BZ - 2443455 - CVE-2026-28417 vim: Vim: Arbitrary code execution via OS command injection in the netrw plugin
  • BZ - 2443474 - CVE-2026-28421 vim: Vim: Denial of service and information disclosure via crafted swap file
  • BZ - 2450907 - CVE-2026-33412 vim: Vim: Arbitrary code execution via command injection in glob() function

Red Hat Enterprise Linux Server - Extended Life Cycle Support 7

SRPM
vim-7.4.629-8.el7_9.1.src.rpm SHA-256: 2151bd85ac0db74081b7e874b0ae53c63e46ad31073f135ea3eafec63a780652
x86_64
vim-X11-7.4.629-8.el7_9.1.x86_64.rpm SHA-256: b17c4001646ad5a9ccdfa066f0e4b0c4dd07de911419681a3fd4165279fcc8d7
vim-common-7.4.629-8.el7_9.1.x86_64.rpm SHA-256: 1f19d65723edae6b2f5ff366b1882e90bec6770be24f8bf6b859121e0b2cf9de
vim-debuginfo-7.4.629-8.el7_9.1.x86_64.rpm SHA-256: c3327f6434bad760d0c2a1e5810575d8b2e240859f7784a977211d6ef4c146c4
vim-enhanced-7.4.629-8.el7_9.1.x86_64.rpm SHA-256: a8d4f46506801f04a14171d8fb4f2ddf9cbdd2e10e7ec3c821bc6a2e2cdae63c
vim-filesystem-7.4.629-8.el7_9.1.x86_64.rpm SHA-256: 0c3f0b3f35d38fcb33f7e9b81b07124af58e1dc2a1a93c75a98639253892ddd2
vim-minimal-7.4.629-8.el7_9.1.x86_64.rpm SHA-256: 4a96c03b6d7466c4e8899986c0e21fa94c3e451181a64b32c1bdbbd9a9c99198

Red Hat Enterprise Linux Server - Extended Life Cycle Support (for IBM z Systems) 7

SRPM
vim-7.4.629-8.el7_9.1.src.rpm SHA-256: 2151bd85ac0db74081b7e874b0ae53c63e46ad31073f135ea3eafec63a780652
s390x
vim-X11-7.4.629-8.el7_9.1.s390x.rpm SHA-256: 00df5550136dd55bde7dd26dbd161199067528b08553f5a0bb234cbe98ae3b26
vim-common-7.4.629-8.el7_9.1.s390x.rpm SHA-256: 4b280e474bacc23e6eeb8daa74750beb1286ea0a8fb89cd79ac92ef4a72723ab
vim-debuginfo-7.4.629-8.el7_9.1.s390x.rpm SHA-256: 78510dfc5c143faa0550efc5be0a755efd9d9e0496e88eac3f3137c5abcb3cac
vim-enhanced-7.4.629-8.el7_9.1.s390x.rpm SHA-256: 04dccb774dc19626912e8f5b57cc95adb8198cf5527adf88364cfeecc27f38a6
vim-filesystem-7.4.629-8.el7_9.1.s390x.rpm SHA-256: 5b5097a1c6db6c32ed2f3c844f4a97b4f640a9ddc298d94650755b984eb5459f
vim-minimal-7.4.629-8.el7_9.1.s390x.rpm SHA-256: b25eb7f47ea3d3ca5e2a2e26a3bf0f89f10f967562057933067f64db34b41c55

Red Hat Enterprise Linux Server - Extended Life Cycle Support for IBM Power, big endian 7

SRPM
vim-7.4.629-8.el7_9.1.src.rpm SHA-256: 2151bd85ac0db74081b7e874b0ae53c63e46ad31073f135ea3eafec63a780652
ppc64
vim-X11-7.4.629-8.el7_9.1.ppc64.rpm SHA-256: 79a14ce8bab75578d674684c76422f255501a99ba9a4519aee10f59fff6f4a8a
vim-common-7.4.629-8.el7_9.1.ppc64.rpm SHA-256: 97624a355b69a1b1e90fb4dc760b3a1f17ade26f64848664de4892c248b7284c
vim-debuginfo-7.4.629-8.el7_9.1.ppc64.rpm SHA-256: 3c2896323f10d898c70935c4beba70eafed650f5b5c52b8082bc29d7e50be7e3
vim-enhanced-7.4.629-8.el7_9.1.ppc64.rpm SHA-256: cb6abe60bd628fb05105c14c4e33cff7434c951b557c9ba30c258727af0febfc
vim-filesystem-7.4.629-8.el7_9.1.ppc64.rpm SHA-256: a65ce09e8a3453c2df68a83ae91ef57037227e6004c3840c486f2d1b373c75f0
vim-minimal-7.4.629-8.el7_9.1.ppc64.rpm SHA-256: fe8b0f3898a935cb642b6dae4aaaffafb8bd1aa5b6f6397626117df719461592

Red Hat Enterprise Linux Server - Extended Life Cycle Support for IBM Power, little endian 7

SRPM
vim-7.4.629-8.el7_9.1.src.rpm SHA-256: 2151bd85ac0db74081b7e874b0ae53c63e46ad31073f135ea3eafec63a780652
ppc64le
vim-X11-7.4.629-8.el7_9.1.ppc64le.rpm SHA-256: d937b5ee55a972a8926148069062e963e88375322271397432052daf5db41512
vim-common-7.4.629-8.el7_9.1.ppc64le.rpm SHA-256: 6bbe40f47a32d46b5fc7278c5f725c9fd805dc91f4218c5b218570f140570b87
vim-debuginfo-7.4.629-8.el7_9.1.ppc64le.rpm SHA-256: e4fb1e51207a4a28f9c3515a2facb67ace18ee81a0ece3fceab696c8f3c47572
vim-enhanced-7.4.629-8.el7_9.1.ppc64le.rpm SHA-256: 11ab6e2787d8ca12fb69d8b63327694a0fc4e963fd663546aa1fca27408ad3af
vim-filesystem-7.4.629-8.el7_9.1.ppc64le.rpm SHA-256: c8847c7e9aba08ce4643ec80e5c343471d4f5f3bcbb8f64c819972c7fe10b5a9
vim-minimal-7.4.629-8.el7_9.1.ppc64le.rpm SHA-256: d691e31cef1c0c9da42de4ac0bd05b976fab24e8faeff86e4302d5655d543361

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.