fzf is vulnerable to Integer Overflow leading to crash in FuzzyMatchV2 function. When input line length is approximately 2,200,000 bytes and pattern length is 999 bytes, the product overflows. The Go runtime detects the invalid slice bounds and terminates the process immediately with a non-recoverable panic. This issue was fixed in version 0.73.1.
History

Wed, 01 Jul 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Fzf
Fzf fzf
Vendors & Products Fzf
Fzf fzf

Wed, 01 Jul 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

cvssV3_1

{'score': 5.0, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H'}

threat_severity

Moderate


Tue, 30 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 30 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
Description fzf is vulnerable to Integer Overflow leading to crash in FuzzyMatchV2 function. When input line length is approximately 2,200,000 bytes and pattern length is 999 bytes, the product overflows. The Go runtime detects the invalid slice bounds and terminates the process immediately with a non-recoverable panic. This issue was fixed in version 0.73.1.
Title Integer Overflow in fzf
Weaknesses CWE-190
References
Metrics cvssV4_0

{'score': 5.6, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: CERT-PL

Published: 2026-06-30T12:01:07.027Z

Updated: 2026-06-30T15:58:16.427Z

Reserved: 2026-06-09T11:41:37.126Z

Link: CVE-2026-53432

cve-icon Vulnrichment

Updated: 2026-06-30T14:18:37.329Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-30T12:01:07Z

Links: CVE-2026-53432 - Bugzilla