Researchers using Anthropic’s Claude assistant found remote code execution flaws in Vim and GNU Emacs that can be triggered by opening a file, with Vim patched in version 9.2.0272 and the Emacs issue still unresolved.
KEY FACTS
- Vim A crafted file could trigger arbitrary command execution when opened.
- Fix Vim 9.2.0272 addresses the flaw in earlier releases.
- Emacs The issue remains present in GNU Emacs, tied to Git integration.
- Trigger Opening a file from a hidden archive or untrusted directory can start the payload.
The findings came from a technical analysis by Calif, a cybersecurity firm focused on AI red teaming and security engineering. The researcher said Claude reviewed Vim source code, identified missing security checks and modeline handling issues, and helped build and refine proof of concept exploits.
In Vim, the bug affects version 9.2.0271 and earlier. The security bulletin says a victim only needs to open a specially crafted file for an attacker to gain command execution with the user’s privileges.
The Emacs issue comes from vc-git, where opening a file can trigger Git through vc-refresh-state. That can cause Git to read an attacker-controlled .git/config file and run a user-defined core.fsmonitor program, which may execute arbitrary commands. The latest GNU Emacs version remains unpatched, according to the report.
Nguyen suggested that Emacs could block core.fsmonitor in Git calls to prevent automatic execution of dangerous scripts when opening files. The report said users should be cautious with files from unknown sources or downloaded online.
WHY IT MATTERS
The flaws matter because both editors are widely used for coding and server work, and the trigger can be as simple as opening a file. One issue has been patched, while the other still leaves users exposed to malicious files that hide inside archives or shared folders.