Vim Tabpanel Modeline Escape Vulnerability Allowing Arbitrary Code Execution

A vulnerability in Vim versions prior to 9.2.0272 allows arbitrary code execution through the `tabpanel` option, which lacks proper modeline security. When a crafted file is opened, the absence of the `P_MLE` flag on `tabpanel` enables injection of expression strings that are executed after the file is opened, bypassing sandbox restrictions. This issue arises because `autocmd_add()` does not include a security check, allowing registered commands to run with the user's privileges.

Impact

Exploitation of this vulnerability leads to arbitrary command execution on the victim's system, with the same privileges as the user running Vim.

Reproduction

To reproduce this vulnerability, open a file containing a crafted modeline that injects a `%{expr}` expression into the `tabpanel` option. Ensure that Vim is running a version prior to 9.2.0272 and that the `modeline` feature is enabled. The injected expression will be executed after the file is opened, taking advantage of the missing security checks in the `autocmd_add()` function.

Remediation

Users can update to Vim version 9.2.0272 or later, where this vulnerability has been patched.