CVE-2026-8997

Heap Buffer Overflow in vifm

CVSS 4.8 MEDIUMEPSS 0.1%CWE-122

vifm is vulnerable to a heap buffer overflow during the history merge process when saving the state file (vifminfo.json). This flaw occurs because the application lacks a runtime check on the length of history entries in release builds, potentially allowing a crafted long path or command in the history to cause memory corruption or application crashes. Releases from 0.12.1 to 0.14.3 (including) are considered vulnerable. This issue was fixed in commit 23063c7

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Affected products

vifm · vifm

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://cert.pl/en/posts/2026/05/CVE-2026-8997 https://github.com/vifm/vifm/commit/23063c741f15a85621fd232dfc3ac5b779f6910d