2480738 – (CVE-2026-8997) CVE-2026-8997 vifm: vifm: Memory corruption and application crash due to heap buffer overflow.

Bug 2480738 (CVE-2026-8997) - CVE-2026-8997 vifm: vifm: Memory corruption and application crash due to heap buffer overflow.

Summary: CVE-2026-8997 vifm: vifm: Memory corruption and application crash due to heap...

Keywords:
Status:	NEW
Alias:	CVE-2026-8997
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2481426
Blocks:
TreeView+	depends on / blocked

Reported:	2026-05-22 14:01 UTC by OSIDB Bzimport
Modified:	2026-05-26 11:09 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-05-22 14:01:28 UTC

vifm is vulnerable to a heap buffer overflow during the history merge process when saving the state file (vifminfo.json). This flaw occurs because the application lacks a runtime check on the length of history entries in release builds, potentially allowing a crafted long path or command in the history to cause memory corruption or application crashes.
Releases from 0.12.1 to 0.14.3 (including) are considered vulnerable. This issue was fixed in commit 23063c7

Note You need to log in before you can comment on or make changes to this bug.