Microsoft’s security response team dropped a bombshell advisory on June 11, 2026: a high-severity vulnerability in Vim’s bundled netrw file explorer lets an attacker inject malicious Vimscript simply by crafting a directory name. Tracked as CVE-2026-47162, the flaw allows arbitrary code execution within the editor—and potentially on the underlying system—if a user browses to a specially named folder using netrw. Windows users, particularly those who rely on Vim inside the Windows Subsystem for Linux (WSL) or native Win32 builds, are urged to patch immediately.

How the Netrw Injection Attack Works

Netrw is a powerful, built‑in file browser and remote file editing plugin that ships with Vim. It is activated automatically when you open a directory (e.g., vim .) and provides features such as local file listings, remote file transfers via SSH, and a persistent history of recently visited directories. That history is stored in a file commonly named .netrwhist or configured by g:netrw_dirhistfile.

The core of CVE-2026-47162 lies in the way netrw writes directory paths to its history file. When a directory name contains certain specially crafted characters—such as newlines or Vim command separators—the plugin does not sanitize the input before saving it to the history file. Later, when netrw starts and sources this history file (which is treated as a Vimscript file), those injected characters become active Vim commands.

For example, an attacker could create a directory named:

project\
:!calc.exe\

or, more insidiously,

harmless\
g:my_exploit()

where g:my_exploit() has been defined earlier by an autocommand or a malicious plugin. When the user navigates into this directory with netrw, the history file records the raw string. On the next Vim session, netrw executes :!calc.exe (or arbitrary code) as soon as it loads the history. Because netrw automatically restores cursor position and buffers, the attack triggers with zero user interaction beyond opening any directory that loads netrw’s history.

Why This Matters for Windows and WSL Users

Vim is not just a Linux tool. On Windows, it is widely distributed through:
- The official Vim Win32 and Win64 builds from vim.org
- Chocolatey (choco install vim)
- winget (winget install vim.vim)
- Git for Windows, which includes a terminal-based Vim and often enables netrw by default for directory browsing
- Cygwin and MSYS2 environments

In WSL, Vim is often the default editor for many distributions, and netrw is the standard way to browse files from the command line. A compromised WSL environment can bridge to the host Windows system, making cross-platform attacks feasible—e.g., a crafted directory shared via /mnt/c/ or a VS Code remote workspace.

The injection can be delivered via:
- A malicious ZIP archive that, when extracted, creates a folder with the crafted name.
- A shared network drive or a cloned Git repository containing a poisoned directory name.
- A compromised remote server if the user browses FTP, SSH, or SCP locations using netrw’s remote capabilities.

Because netrw automatically restores the last working directory, the exploit can persist across Vim sessions until the history file is manually cleared.

Microsoft’s Involvement and Disclosure

Microsoft’s security researchers identified the vulnerability through internal code audits and reported it to the Vim maintainers under Coordinated Vulnerability Disclosure (CVD) guidelines. The Microsoft Security Response Center (MSRC) published advisory CVE-2026-47162 on June 11, 2026, classifying the flaw as “High Severity” with a CVSS score of 8.4 (though exact scoring may vary by analysis). The advisory highlights that successful exploitation requires user interaction—the victim must open a directory containing the malicious name—but given the ubiquity of netrw, that interaction is often a routine part of a developer’s workflow.

Microsoft also released guidance tailored to Windows environments, emphasizing that while the vulnerability resides in third‑party software, the large Windows user base necessitates clear patching steps.

How to Patch Vim on Windows Immediately

The Vim maintainers have released patches that sanitize directory names before writing them to the history file. The fix is integrated into Vim 9.x.xxxx (the exact build number would be > 9.0.1234 after the June 2026 merge). Here’s how to update:

Option 1: Update via winget

Open a command prompt or PowerShell as an administrator and run:

winget upgrade vim.vim

or, to install fresh:

winget install vim.vim

Option 2: Update with Chocolatey

In an elevated shell, type:

choco upgrade vim

Option 3: Download the Installer

Visit the official Vim download page and grab the latest Windows installer (gvim_9.x.xxxx_x64.exe). Run the installer and ensure you overwrite the previous installation.

Option 4: Update Git for Windows

Git for Windows bundles its own Vim. To update it, download the latest Git for Windows installer from git-scm.com and re‑run it. After installation, verify the internal Vim’s version by opening Git Bash and typing vim --version.

For WSL Distributions

Inside your WSL terminal, update the Vim package using your package manager:
- Ubuntu/Debian: sudo apt update && sudo apt upgrade vim
- Fedora: sudo dnf upgrade vim
- openSUSE: sudo zypper update vim
- Arch: sudo pacman -Syu vim

If you installed Vim via Snap, run sudo snap refresh vim. For a compiled‑from‑source installation, pull the latest repository and rebuild.

Verify the Patch

After updating, open Vim and run:

:version

Look for a patch level dated after June 11, 2026. You can also test with a safe crafted directory name—create a folder named “test\
:echo ‘vulnerable’\
” and browse it; if no command executes, the patch is in place.

Temporary Workarounds Until You Can Update

If you cannot update immediately, apply one of these mitigations:

  1. Disable the netrw history file by adding to your .vimrc or _vimrc:
    let g:netrw_dirhistmax = 0
    This prevents any history from being written, but you lose directory history persistence.

  2. Delete existing history:
    Remove the file ~/.vim/.netrwhist (Linux/WSL) or %USERPROFILE%\\vimfiles\\.netrwhist (Windows), and then start Vim with netrw disabled:
    vim --cmd \"let g:loaded_netrw = 1\" .
    This completely avoids loading netrw.

  3. Restrict automatic directory opening by aliasing vim not to open directories, e.g., alias vim=\"vim --cmd 'let g:loaded_netrw=1'\" temporarily.

Be aware that other plugins that source netrw’s history or similar files may also be affected; thus, updating is the only complete solution.

The Broader Implications of Plugin‑Level Code Injection

Netrw’s deep integration into Vim makes this vulnerability particularly dangerous. Many users are unaware that simply navigating with Vim’s built‑in file explorer can execute code. This class of bug—directory name injection—has surfaced in other file managers in the past, but netrw’s history‑file mechanism adds a layer of persistence that makes exploitation more reliable.

For enterprises using Windows workstations with Vim in development pipelines, an attacker could plant a malicious repository containing a crafted directory name. As soon as a developer clones the repo and opens it with vim ., the injected code runs, potentially stealing SSH keys, credentials, or installing implants. Security teams should audit their development environment for any Vim installations and enforce the patch.

Microsoft’s swift disclosure underscores their commitment to securing the open‑source ecosystem that Windows developers rely on. The company has been increasingly active in finding and reporting vulnerabilities in widely‑used tools.

What’s Next?

The Vim team is considering a more fundamental redesign of how netrw stores its history—possibly moving to a non‑executable format. In the meantime, users should treat any third‑party Vim plugin with the same scrutiny as a browser extension: only install from trusted sources and keep them updated.

For Windows administrators, it’s worth adding a software inventory rule to detect Vim versions below the patched level. Microsoft’s own Defender for Endpoint might include detection logic, but manually pushing an update via Group Policy or SCCM will be faster.

The lesson is clear: even a seemingly innocuous feature like a file‑browser history can become an entry point for attackers. Update your Vim today.