Full Report
Heap-based Buffer Overflow vulnerability (CVE-2026-8997) has been found in vifm software.
Analysis Summary
# Vulnerability: Heap-based Buffer Overflow in vifm History Merging
## CVE Details
- **CVE ID:** CVE-2026-8997
- **CVSS Score:** Not explicitly rated in the article (High severity typical for Heap Overflows)
- **CWE:** CWE-122 (Heap-based Buffer Overflow)
## Affected Systems
- **Products:** vifm (File Manager)
- **Versions:** 0.12.1 through 0.14.3 (inclusive)
- **Configurations:** Release builds (specifically those lacking runtime checks during the history merge process).
## Vulnerability Description
A heap-based buffer overflow exists in how `vifm` handles the history merge process when saving the state file (`vifminfo.json`). The application fails to perform adequate runtime length checks on history entries in production/release builds. If a history entry (such as a specifically crafted long file path or command) exceeds expected bounds, it can overflow the heap buffer, leading to memory corruption or application crashes.
## Exploitation
- **Status:** Reported via CVD (Coordinated Vulnerability Disclosure); no mention of active exploitation in the wild.
- **Complexity:** Medium (Requires inducing the application to save a crafted long history entry).
- **Attack Vector:** Local (The attacker typically needs to influence the command history or file paths processed by the user).
## Impact
- **Confidentiality:** Potential (Memory corruption can lead to information disclosure).
- **Integrity:** High (Memory corruption can potentially lead to arbitrary code execution).
- **Availability:** High (Can cause the application to crash reliably).
## Remediation
### Patches
- The vulnerability has been addressed in the source code. Users should apply the fix from **commit `23063c7`** or update to a version newer than 0.14.3.
### Workarounds
- Limit the length of commands or paths used within the application.
- Regularly clear or monitor the `vifminfo.json` file for unusually long entries.
## Detection
- **Indicators of Compromise:** Crashes occurring specifically when the application attempts to save its state or exit.
- **Detection Methods:** Security teams can audit the `vifminfo.json` file for abnormally large strings in history fields. Developers can use memory sanitizers (like ASan) to detect the overflow in a lab environment.
## References
- CERT Polska Advisory: hxxps://cert[.]pl/en/posts/2026/05/vulnerability-in-vifm-software/
- CVE Record: hxxps://www[.]cve[.]org/CVERecord?id=CVE-2026-8997
- CWE-122 Definition: hxxps://cwe[.]mitre[.]org/data/definitions/122[.]html