What is the CVSS score of CVE-2026-8997?

CVE-2026-8997 has a CVSS 4.0 base score of 4.8 (Medium). CVSS vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N. EPSS exploitation probability: 0.0%.

Is there a patch available for CVE-2026-8997?

Yes, a patch is available for CVE-2026-8997. Update the affected software to the latest version immediately.

Vifm CVE-2026-8997

EUVD-2026-31439 MEDIUM

Heap-based Buffer Overflow (CWE-122)

2026-05-22 CERT-PL

GHSA-3623-vc46-pwpv

Buffer Overflow Heap Overflow Vifm

4.8

CVSS 4.0

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Lifecycle Timeline

CVE Published

May 22, 2026 - 13:26 nvd

UNKNOWN (no severity yet)

DescriptionNVD

vifm is vulnerable to a heap buffer overflow during the history merge process when saving the state file (vifminfo.json). This flaw occurs because the application lacks a runtime check on the length of history entries in release builds, potentially allowing a crafted long path or command in the history to cause memory corruption or application crashes. Releases from 0.12.1 to 0.14.3 (including) are considered vulnerable. This issue was fixed in commit 23063c7

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-8997 vulnerability details – vuln.today

Back