CVE-2026-8997

CVE-2026-8997 is a medium-severity vulnerability with a CVSS 4.0 base score of 4.8. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-122.

Key facts

Description

vifm is vulnerable to a heap buffer overflow during the history merge process when saving the state file (vifminfo.json). This flaw occurs because the application lacks a runtime check on the length of history entries in release builds, potentially allowing a crafted long path or command in the history to cause memory corruption or application crashes. Releases from 0.12.1 to 0.14.3 (including) are considered vulnerable. This issue was fixed in commit 23063c7

Frequently asked questions

What is CVE-2026-8997?
vifm is vulnerable to a heap buffer overflow during the history merge process when saving the state file (vifminfo.json). This flaw occurs because the application lacks a runtime check on the length of history entries in release builds, potentially allowing a crafted long path or command in the history to cause memory corruption or application crashes. Releases from 0.12.1 to 0.14.3 (including) are considered vulnerable. This issue was fixed in commit 23063c7
How severe is CVE-2026-8997?
CVE-2026-8997 has a CVSS 4.0 base score of 4.8, rated medium severity.
Is CVE-2026-8997 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (4th percentile), an estimate of the probability of exploitation in the next 30 days.
How do I fix CVE-2026-8997?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
Does CVE-2026-8997 have an EU (EUVD) identifier?
Yes. CVE-2026-8997 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-31439.
When was CVE-2026-8997 published?
CVE-2026-8997 was published on 2026-05-22 and last updated on 2026-06-17.

References

Other CWE-122 (Heap-based Buffer Overflow) vulnerabilities

Browse all CWE-122 (Heap-based Buffer Overflow) vulnerabilities →