UBUNTU-CVE-2026-8997

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2026-8997

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-8997.json

JSON Data

https://api.osv.dev/v1/vulns/UBUNTU-CVE-2026-8997

Upstream

CVE-2026-8997

Published

2026-05-22T14:16:00Z

Modified

2026-05-27T19:09:39Z

Severity

4.8 (Medium) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVSS Calculator
Ubuntu - medium

Summary

[none]

Details

vifm is vulnerable to a heap buffer overflow during the history merge process when saving the state file (vifminfo.json). This flaw occurs because the application lacks a runtime check on the length of history entries in release builds, potentially allowing a crafted long path or command in the history to cause memory corruption or application crashes. Releases from 0.12.1 to 0.14.3 (including) are considered vulnerable. This issue was fixed in commit 23063c7

References

Affected packages

Ubuntu:16.04:LTS

vifm

Package

Name: vifm
Purl: pkg:deb/ubuntu/vifm?arch=source&distro=xenial

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.7.8-3

0.7.8-3build1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "vifm",
            "binary_version": "0.7.8-3build1"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-8997.json"

Ubuntu:18.04:LTS

vifm

Package

Name: vifm
Purl: pkg:deb/ubuntu/vifm?arch=source&distro=bionic

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.9-1

0.9.1-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "vifm",
            "binary_version": "0.9.1-1"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-8997.json"

Ubuntu:20.04:LTS

vifm

Package

Name: vifm
Purl: pkg:deb/ubuntu/vifm?arch=source&distro=focal

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.10.1-2

0.10.1-3

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "vifm",
            "binary_version": "0.10.1-3"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-8997.json"

Ubuntu:22.04:LTS

vifm

Package

Name: vifm
Purl: pkg:deb/ubuntu/vifm?arch=source&distro=jammy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.10.1-4

0.12-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "vifm",
            "binary_version": "0.12-1"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-8997.json"

Ubuntu:24.04:LTS

vifm

Package

Name: vifm
Purl: pkg:deb/ubuntu/vifm?arch=source&distro=noble

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.12-1

0.12-1build1

0.12-1build2

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "vifm",
            "binary_version": "0.12-1build2"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-8997.json"

Ubuntu:25.10

vifm

Package

Name: vifm
Purl: pkg:deb/ubuntu/vifm?arch=source&distro=questing

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.12-1build2

0.14-3

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "vifm",
            "binary_version": "0.14-3"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-8997.json"

Ubuntu:26.04:LTS

vifm

Package

Name: vifm
Purl: pkg:deb/ubuntu/vifm?arch=source&distro=resolute

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.14-3

0.14.3-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "vifm",
            "binary_version": "0.14.3-1"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-8997.json"