CVE-2026-8997

NameCVE-2026-8997
Descriptionvifm is vulnerable to a heap buffer overflow during the history merge process when saving the state file (vifminfo.json). This flaw occurs because the application lacks a runtime check on the length of history entries in release builds, potentially allowing a crafted long path or command in the history to cause memory corruption or application crashes. Releases from 0.12.1 to 0.14.3 (including) are considered vulnerable. This issue was fixed in commit 23063c7
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1137528

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
vifm (PTS)bullseye0.10.1-4vulnerable
bookworm0.12-1vulnerable
trixie0.14-3vulnerable
forky, sid0.14.4-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
vifmsource(unstable)0.14.3-31137528

Notes

[trixie] - vifm <no-dsa> (Minor issue)
[bookworm] - vifm <no-dsa> (Minor issue)
[bullseye] - vifm <no-dsa> (Minor issue)
Fixed by: https://github.com/vifm/vifm/commit/23063c741f15a85621fd232dfc3ac5b779f6910d
Search for package or bug name: Reporting problems