CVE-2026-8997

Source
https://cve.org/CVERecord?id=CVE-2026-8997
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-8997.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-8997
Downstream
Related
Published
2026-05-22T13:26:17.904Z
Modified
2026-07-08T08:12:16.451840606Z
Severity
  • 4.8 (Medium) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVSS Calculator
Summary
Heap Buffer Overflow in vifm
Details

vifm is vulnerable to a heap buffer overflow during the history merge process when saving the state file (vifminfo.json). This flaw occurs because the application lacks a runtime check on the length of history entries in release builds, potentially allowing a crafted long path or command in the history to cause memory corruption or application crashes. Releases from 0.12.1 to 0.14.3 (including) are considered vulnerable. This issue was fixed in commit 23063c7

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/8xxx/CVE-2026-8997.json",
    "cna_assigner": "CERT-PL",
    "cwe_ids": [
        "CWE-122"
    ]
}
References

Affected packages

Git / github.com/vifm/vifm

Affected ranges

Type
GIT
Repo
https://github.com/vifm/vifm
Events
Database specific
{
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "0.12.1"
        },
        {
            "last_affected": "0.14.3"
        }
    ]
}

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-8997.json"