CVE-2026-53432

fzf is vulnerable to Integer Overflow leading to crash in FuzzyMatchV2 function. When input line length is approximately 2,200,000 bytes and pattern length is 999 bytes, the product overflows. The Go runtime detects the invalid slice bounds and terminates the process immediately with a non-recoverable panic. This issue was fixed in version 0.73.1.
Configurations

Configuration 1 (hide)

cpe:2.3:a:junegunn:fzf:*:*:*:*:*:*:*:*

History

02 Jul 2026, 19:01

Type Values Removed Values Added
CPE cpe:2.3:a:junegunn:fzf:*:*:*:*:*:*:*:*
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 7.5
First Time Junegunn
Junegunn fzf
References () https://cert.pl/en/posts/2026/06/CVE-2026-53432 - () https://cert.pl/en/posts/2026/06/CVE-2026-53432 - Third Party Advisory
References () https://github.com/junegunn/fzf - () https://github.com/junegunn/fzf - Product
References () https://github.com/junegunn/fzf/commit/ccedd064ca56921a4235219516b3d834f60e7b91 - () https://github.com/junegunn/fzf/commit/ccedd064ca56921a4235219516b3d834f60e7b91 - Patch

30 Jun 2026, 13:19

Type Values Removed Values Added
New CVE

Information

Published : 2026-06-30 13:19

Updated : 2026-07-02 19:01


NVD link : CVE-2026-53432

Mitre link : CVE-2026-53432

CVE.ORG link : CVE-2026-53432


JSON object : View

Products Affected

junegunn

  • fzf
CWE
CWE-190

Integer Overflow or Wraparound