CVE-2026-8997 | THREATINT

Description

vifm is vulnerable to a heap buffer overflow during the history merge process when saving the state file (vifminfo.json). This flaw occurs because the application lacks a runtime check on the length of history entries in release builds, potentially allowing a crafted long path or command in the history to cause memory corruption or application crashes. Releases from 0.12.1 to 0.14.3 (including) are considered vulnerable. This issue was fixed in commit 23063c7

PUBLISHED Reserved 2026-05-19 | Published 2026-05-22 | Updated 2026-05-22 | Assigner CERT-PL

MEDIUM: 4.8CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Problem types

CWE-122 Heap-based Buffer Overflow

Product status

Default status

unaffected

0.12.1 (semver)

affected

Credits

Michał Majchrowicz (AFINE) finder

Marcin Wyczechowski (AFINE) finder

References

cert.pl/en/posts/2026/05/CVE-2026-8997 third-party-advisory

github.com/...ommit/23063c741f15a85621fd232dfc3ac5b779f6910d patch

cve.org (CVE-2026-8997)

nvd.nist.gov (CVE-2026-8997)

Download JSON