Hi,

The following vulnerability was published for vifm.

CVE-2026-8997[0]:
| vifm is vulnerable to a heap buffer overflow during the history
| merge process when saving the state file (vifminfo.json). This flaw
| occurs because the application lacks a runtime check on the length
| of history entries in release builds, potentially allowing a crafted
| long path or command in the history to cause memory corruption or
| application crashes. Releases from 0.12.1 to 0.14.3 (including) are
| considered vulnerable. This issue was fixed in commit 23063c7


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-8997
https://www.cve.org/CVERecord?id=CVE-2026-8997
[1] https://github.com/vifm/vifm/commit/23063c741f15a85621fd232dfc3ac5b779f6910d

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

We believe that the bug you reported is fixed in the latest version of
vifm, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1137528@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Kirill Rekhov <krekhov.dev@gmail.com> (supplier of updated vifm package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Wed, 27 May 2026 16:18:23 +0000
Source: vifm
Architecture: source
Version: 0.14.3-3
Distribution: unstable
Urgency: medium
Maintainer: Kirill Rekhov <krekhov.dev@gmail.com>
Changed-By: Kirill Rekhov <krekhov.dev@gmail.com>
Closes: 1137528
Changes:
 vifm (0.14.3-3) unstable; urgency=medium
 .
   * Fix CVE-2026-8997: prevent heap buffer overflow in trie
     (Closes: #1137528)
Checksums-Sha1:
 ea8f7f4070a758b3982ca91e0458b1cbadc93c85 1905 vifm_0.14.3-3.dsc
 d3a85e3f6f9b8d22aa9fa665def40e9f97c1ebf1 11088 vifm_0.14.3-3.debian.tar.xz
 7ae65c020cf56ac06a720e3cfd62f7eb76f427a6 6319 vifm_0.14.3-3_amd64.buildinfo
Checksums-Sha256:
 9c64463f5cd768622f71aa04481407441b96772141c3f7f97663ddc7828a03a9 1905 vifm_0.14.3-3.dsc
 df0e8e90b4f48dcf1bcd01459f76814d540a170c5a968d63ba64fc80568b476b 11088 vifm_0.14.3-3.debian.tar.xz
 e9bd4d4905080e477ebec8a0bb988b6b36cf0c7bb8d7eeb1942dd95ea468abf8 6319 vifm_0.14.3-3_amd64.buildinfo
Files:
 c0ed9199ef90e2e2b936190ffdc87827 1905 utils optional vifm_0.14.3-3.dsc
 43daf0818d21d7e260970664f88abdb2 11088 utils optional vifm_0.14.3-3.debian.tar.xz
 962e9ab832a3133711d45ffeef51935b 6319 utils optional vifm_0.14.3-3_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----

iQJKBAEBCgA0FiEEJkB2nf2hqqD4Y9GuXyxZBVGc4KAFAmoY4BAWHGtyZWtob3Yu
ZGV2QGdtYWlsLmNvbQAKCRBfLFkFUZzgoML+D/98exg1QoES6VxmtH+wFGKzvyyQ
spPiX3mQZDYlqO+OYGvkNkj2CaAydKROoSli3eAleU1yL75yjNwozSHk/BZg0RoZ
9wuif+C+gpZ/5EqV/61cbX7BmyM4twR1nM0zBrL/7ktYnGhxH+1c0M+euVnEkruu
EQKflUFhrbCOoAiii+RDzy4mATtCfytsxdvxsHj38rw1i8ZdeAF9TZccL4JyjMj2
V+i9IV/IptOpOYnqONBstzN4UTKl8T74BNFuPWGXywNcJQVznurzCNBYtBWmlgU5
nbeHpcAZotzVl+MU0isGDX2hGqM4WFMqhJIhzPDb7vKFR/dTFEVyykwBHY/i1GbE
t6TgyXvyrSSGRsK5aeZDXgfASnd4T0XVYgJLbXAdtfrKqn2exuLybZnkZ/+8kjdQ
weK92ssozR0nTV7uwh6suxE6QxnbyuQ5ApHqOtvkcv+RT4W+dwpCLBm+PSjovVu8
K1+39xAb/q0TlRCvnh77g/V9se17jILHl/qmdyPkNQQjKXR+OsDP+0oTo+oXM4nJ
mX1IprHJ6UMMeUBUHdB438y+Hbwyzm0QxilOsKPvtsgnZQIYmC64eqMb5+FqMLLQ
fjpMiAX82u5MbBll6egw0K6PrNLc6p7jqpsIemeOIGmt19yNB9WXSCTVa2nyu/iF
Vt1Ne3BloDArJzvmrg==
=/AXH
-----END PGP SIGNATURE-----