CVE-2026-8997 Common Vulnerabilities and Exposures

Upstream information

CVE-2026-8997 at MITRE

Description

vifm is vulnerable to a heap buffer overflow during the history merge process when saving the state file (vifminfo.json). This flaw occurs because the application lacks a runtime check on the length of history entries in release builds, potentially allowing a crafted long path or command in the history to cause memory corruption or application crashes.
Releases from 0.12.1 to 0.14.3 (including) are considered vulnerable. This issue was fixed in commit 23063c7

Other Security Trackers

EUVD-2026-31439

SUSE information

Overall state of this security issue: Does not affect SUSE products

No SUSE Bugzilla entries cross referenced.

No SUSE Security Announcements cross referenced.

List of released packages

Product(s)	Fixed package version(s)	References
openSUSE Tumbleweed	`vifm >= 0.14.4-1.1`	Patchnames: openSUSE-Tumbleweed-2026-10928

SUSE Timeline for this CVE

CVE page created: Tue Jun 2 11:24:32 2026
CVE page last modified: Tue Jun 2 11:24:32 2026