Description
vifm is vulnerable to a heap buffer overflow during the history merge process when saving the state file (vifminfo.json). This flaw occurs because the application lacks a runtime check on the length of history entries in release builds, potentially allowing a crafted long path or command in the history to cause memory corruption or application crashes.
Releases from 0.12.1 to 0.14.3 (including) are considered vulnerable. This issue was fixed in commit 23063c7
Published: 2026-05-22
Score: 4.8 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

During the process of merging history entries when the state file is written, vifm performs no runtime check on the length of history strings in release builds. A crafted entry with an overly long path or command can overflow a heap buffer, corrupting adjacent memory or causing the application to crash. This vulnerability is a classic heap buffer overflow categorized as CWE‑122.

Affected Systems

The vulnerable versions are the releases from 0.12.1 through 0.14.3 inclusive. Any install of vifm in that range is at risk if it writes the state file (vifminfo.json).

Risk and Exploitability

The CVSS score is 4.8, indicating a moderate severity that mainly results in memory corruption or denial of service rather than remote code execution. No EPSS data is available, and the flaw is not listed in CISA KEV. Exploitation would require an attacker to supply a malicious history entry that is later merged, implying a local or user‑prompted attack vector rather than a remote one. A successful attack could lead to application crashes or unpredictable behavior.

Generated by OpenCVE AI on May 22, 2026 at 15:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade vifm to a version newer than 0.14.3, which includes the fix in commit 23063c7
  • If an upgrade is not immediately possible, apply the patch from commit 23063c7 to your local build or backport it
  • After applying a fix, monitor the application for crashes or abnormal memory usage related to history file handling

Generated by OpenCVE AI on May 22, 2026 at 15:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 22 May 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 22 May 2026 13:45:00 +0000

Type Values Removed Values Added
Description vifm is vulnerable to a heap buffer overflow during the history merge process when saving the state file (vifminfo.json). This flaw occurs because the application lacks a runtime check on the length of history entries in release builds, potentially allowing a crafted long path or command in the history to cause memory corruption or application crashes. Releases from 0.12.1 to 0.14.3 (including) are considered vulnerable. This issue was fixed in commit 23063c7
Title Heap Buffer Overflow in vifm
Weaknesses CWE-122
References
Metrics cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: CERT-PL

Published:

Updated: 2026-05-22T15:03:29.811Z

Reserved: 2026-05-19T13:33:16.963Z

Link: CVE-2026-8997

cve-icon Vulnrichment

Updated: 2026-05-22T15:03:24.979Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-22T15:15:09Z

Weaknesses