[Security] MacVim affected by CVE-2026-41411 — tag file command injection via backtick in mch_has_wildcard()

[dkgkdfg65]

[Security] MacVim affected by CVE-2026-41411 — tag file command injection (vim < 9.2.0357)

Summary

MacVim bundles the vim source at version 9.2 (patches 1-332 in the current build), which is
below the patched version 9.2.0357 that fixes CVE-2026-41411.

Vulnerability Details

• Upstream CVE: CVE-2026-41411
• Inherited from: vim/vim
• Affected code: tag file processing (wildcard expansion of filename fields)
• Vulnerability type: CWE-78 — OS Command Injection
• Fixed in: vim 9.2.0357 (commit c78194e41d5a0b05b0ddf383b6679b1503f977fb)

Root Cause

Prior to vim 9.2.0357, when resolving a tag, the filename field from the tags file is passed
through wildcard expansion to resolve environment variables and wildcards. If a crafted tags
file contains a filename with shell metacharacters or backtick-enclosed commands, those
commands are executed when the tag is resolved.

An attacker who can influence the tags file (e.g., via a malicious project or downloaded
code repository) can achieve arbitrary command execution when the victim opens a file and
navigates to a tag definition.

Affected MacVim Version

MacVim r183 (vim 9.2 patches 1-332) — current HEAD as of 2026-05-18.

The fix commit c78194e41d5a0b05b0ddf383b6679b1503f977fb from vim/vim is not present
in the macvim-dev/macvim repository:

git log --all --oneline | grep c78194e  # returns no output

Suggested Fix

Merge or cherry-pick vim/vim patches up to at least 9.2.0357:

• Upstream fix: vim/vim@c78194e

References

• CVE: https://nvd.nist.gov/vuln/detail/CVE-2026-41411
• Upstream advisory: https://github.com/vim/vim/security/advisories/GHSA-7rvw-9w8x-xhwx
• Upstream fix commit: vim/vim@c78194e