[Security] MacVim affected by CVE-2026-46483 — tar.vim tar#Vimuntar() command injection

[dkgkdfg65]

[Security] MacVim affected by CVE-2026-46483 — tar#Vimuntar() command injection via shellescape (vim < 9.2.0479)

Summary

MacVim bundles the vim source at version 9.2 (patches 1-332 in the current build), which is
below the patched version 9.2.0479 that fixes CVE-2026-46483.

Vulnerability Details

• Upstream CVE: CVE-2026-46483
• Inherited from: vim/vim
• Affected code: runtime/autoload/tar.vim, function tar#Vimuntar()
• Vulnerability type: CWE-78 — OS Command Injection
• Fixed in: vim 9.2.0479 (commit 3fb5e58fbc63d86a3e65f1a141b0d67af2aa38a1)

Root Cause

In tar#Vimuntar() (runtime/autoload/tar.vim), the function decompresses a .tgz tarball
using :!gunzip and tar. The filename is escaped using shellescape(tartail) without
the second argument 1:

" runtime/autoload/tar.vim (macvim r183, around line 815)
if tartail =~ '\.tgz'
   if executable("gunzip")
    silent exe "!gunzip ".shellescape(tartail)

When vim's :! command processes the command string, the ! character in the filename
is interpreted by vim's command-line history substitution BEFORE the shell sees it.
shellescape(x, 0) (the default) does not escape ! for the vim :! context, while
shellescape(x, 1) does.

If an attacker can name a .tgz file to contain !command, and trick a user into
running tar#Vimuntar() on it, the embedded command is executed.

Affected MacVim Code

MacVim's runtime/autoload/tar.vim contains the vulnerable tar#Vimuntar() function at
line 784. The fix changes shellescape(tartail) to shellescape(tartail, 1) throughout
the function.

Note: neovim does NOT have the tar#Vimuntar() function and is not affected by this
specific vulnerability.

Affected MacVim Version

MacVim r183 (vim 9.2 patches 1-332) — current HEAD as of 2026-05-18.

The fix commit 3fb5e58fbc63d86a3e65f1a141b0d67af2aa38a1 from vim/vim is not present
in the macvim-dev/macvim repository:

git log --all --oneline | grep 3fb5e58f  # returns no output

Suggested Fix

Merge or cherry-pick vim/vim patches up to at least 9.2.0479:

• Upstream fix: vim/vim@3fb5e58

The fix changes shellescape(tartail) to shellescape(tartail, 1) which properly escapes
! characters for vim's :! command context.

References

• CVE: https://nvd.nist.gov/vuln/detail/CVE-2026-46483
• Upstream advisory: GHSA-2fpv-9ff7-xg5w
• Upstream fix commit: vim/vim@3fb5e58

[dkgkdfg65]

The same root cause exists in runtime/autoload/vimball.vim at 7 additional sites — the vimball#Decompress() function uses silent exe "!CMD ".shellescape(a:fname) without {special}=1 for all seven supported compression formats.

Affected lines in macvim's bundled runtime/autoload/vimball.vim:

419:    silent exe "!gunzip ".shellescape(a:fname)
429:    silent exe "!gzip -d ".shellescape(a:fname)
439:    silent exe "!bunzip2 ".shellescape(a:fname)
449:    silent exe "!bzip2 -d ".shellescape(a:fname)
459:    silent exe "!bunzip3 ".shellescape(a:fname)
469:    silent exe "!bzip3 -d ".shellescape(a:fname)
479:    silent exe "!unzip ".shellescape(a:fname)

All seven invoke :!CMD <unescaped-bang> and are reachable when a user :sources
a crafted .vba vimball whose inner-file names contain !. This is exactly the
attack primitive that vim 9.2.0479 fixed in tar#Vimuntar(). The fix is the
same one-character change: add , 1 to each shellescape() call.

I confirmed these sites are also unfixed in vim/vim master HEAD (lines 430–490
there), so this is an upstream Vim issue that macvim inherits. A separate report
to vim's security advisory channel is being filed for the upstream side.

Neovim is not affected — neovim removed vimball.vim entirely (same disposition
as tar#Vimuntar).