CVE-2026-8997

UNKNOWN 0.0

Heap Buffer Overflow in vifm

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

vifm is vulnerable to a heap buffer overflow during the history merge process when saving the state file (vifminfo.json). This flaw occurs because the application lacks a runtime check on the length of history entries in release builds, potentially allowing a crafted long path or command in the history to cause memory corruption or application crashes. Releases from 0.12.1 to 0.14.3 (including) are considered vulnerable. This issue was fixed in commit 23063c7

CWE	CWE-122
Vendor	vifm
Product	vifm
Published	May 22, 2026
Last Updated	May 22, 2026

Stay Ahead of the Next One

Get instant alerts for vifm vifm

Be the first to know when new unknown vulnerabilities affecting vifm vifm are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

vifm / vifm

0.12.1 ≤ 0.14.3

References

NVD ↗ CVE.org ↗ EPSS Data ↗

cert.pl: https://cert.pl/en/posts/2026/05/CVE-2026-8997 github.com: https://github.com/vifm/vifm/commit/23063c741f15a85621fd232dfc3ac5b779f6910d

Credits

Michał Majchrowicz (AFINE) Marcin Wyczechowski (AFINE)