CVE-2026-53432 PUBLISHED

Integer Overflow in fzf

Assigner: CERT-PL
Reserved: 09.06.2026 Published: 30.06.2026 Updated: 30.06.2026

fzf is vulnerable to Integer Overflow leading to crash in FuzzyMatchV2 function. When input line length is approximately 2,200,000 bytes and pattern length is 999 bytes, the product overflows. The Go runtime detects the invalid slice bounds and terminates the process immediately with a non-recoverable panic.

This issue was fixed in version 0.73.1.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
CVSS Score: 5.6

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Local	Confidentiality	None	Confidentiality	None
Attack Complexity	Low	Integrity	None	Integrity	None
Attack Requirements	Present	Availability	High	Availability	None
Privileges Required	None
User Interaction	Active

CVSS 4.0

Product Status

Vendor	fzf
Product	fzf
Versions	Default: unaffected affected from 0 to 0.73.1 (excl.)

CVE-2026-53432 PUBLISHED

Integer Overflow in fzf

Metrics

Product Status

Credits

References

Problem Types