“Opening a file in GNU Emacs can set off arbitrary code execution by model management (git), most requiring zero person interplay past the file open itself. Probably the most extreme discovering requires no file-local variables in any respect — merely opening any file inside a listing containing a crafted .git/ folder executes attacker-controlled instructions,” he wrote.
One mounted, one not
When notified, Vim’s maintainers rapidly mounted their situation, recognized as CVE-2026-34714 with a CVSS rating of 9.2, in model 9.2.0272.
Sadly, addressing the GNU Emacs vulnerability, which is presently and not using a CVE identifier, isn’t as simple. Its maintainers imagine it to be an issue with Git, and declined to deal with the difficulty; in his publish, Nguyen suggests guide mitigations. The weak variations are 30.2 (steady launch) and 31.0.50 (improvement).
