Amazon Linux 2 Security Advisory: ALAS2-2026-3292
Advisory Released Date: 2026-05-14
Advisory Updated Date: 2026-05-14
Severity:
Important
Issue Overview:
Vim is an open source, command line text editor. Prior to 9.2.0357, A command injection vulnerability exists in Vim's tag file processing. When resolving a tag, the filename field from the tags file is passed through wildcard expansion to resolve environment variables and wildcards. If the filename field contains backtick syntax (e.g., `command`), Vim executes the embedded command via the system shell with the full privileges of the running user. (CVE-2026-41411)
Affected Packages:
vim
Note:
This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.
Issue Correction:
Run yum update vim or yum update --advisory ALAS2-2026-3292 to update your system.
New Packages:
aarch64:
vim-common-9.0.2153-1.amzn2.0.6.aarch64
vim-minimal-9.0.2153-1.amzn2.0.6.aarch64
vim-enhanced-9.0.2153-1.amzn2.0.6.aarch64
vim-X11-9.0.2153-1.amzn2.0.6.aarch64
xxd-9.0.2153-1.amzn2.0.6.aarch64
vim-debuginfo-9.0.2153-1.amzn2.0.6.aarch64
i686:
vim-common-9.0.2153-1.amzn2.0.6.i686
vim-minimal-9.0.2153-1.amzn2.0.6.i686
vim-enhanced-9.0.2153-1.amzn2.0.6.i686
vim-X11-9.0.2153-1.amzn2.0.6.i686
xxd-9.0.2153-1.amzn2.0.6.i686
vim-debuginfo-9.0.2153-1.amzn2.0.6.i686
noarch:
vim-filesystem-9.0.2153-1.amzn2.0.6.noarch
vim-data-9.0.2153-1.amzn2.0.6.noarch
src:
vim-9.0.2153-1.amzn2.0.6.src
x86_64:
vim-common-9.0.2153-1.amzn2.0.6.x86_64
vim-minimal-9.0.2153-1.amzn2.0.6.x86_64
vim-enhanced-9.0.2153-1.amzn2.0.6.x86_64
vim-X11-9.0.2153-1.amzn2.0.6.x86_64
xxd-9.0.2153-1.amzn2.0.6.x86_64
vim-debuginfo-9.0.2153-1.amzn2.0.6.x86_64