Description
fzf is vulnerable to Integer Overflow leading to crash in FuzzyMatchV2 function. When input line length is approximately 2,200,000 bytes and pattern length is 999 bytes, the product overflows. The Go runtime detects the invalid slice bounds and terminates the process immediately with a non-recoverable panic.

This issue was fixed in version 0.73.1.
Published: 2026-06-30
Score: 5.6 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

fzf contains an integer overflow in the FuzzyMatchV2 function, which occurs when an input line length of around 2,200,000 bytes and a pattern length of 999 bytes are processed. The overflow causes the Go runtime to detect invalid slice bounds and terminate the process with a non‑recoverable panic, resulting in a crash without any further compromise of the system.

Affected Systems

The vulnerability affects the fzf fuzzy finder tool, all releases prior to version 0.73.1. Version 0.73.1 and later include a fix that prevents the overflow by correctly bounding calculations.

Risk and Exploitability

The CVSS score of 5.6 indicates moderate risk; the EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, suggesting no publicly documented exploits. Based on the description, the attack vector is local: an attacker can trigger the crash by supplying the rapidly crafted, very long input to a running instance of fzf, causing a denial of service but no remote code execution or data disclosure.

Generated by OpenCVE AI on June 30, 2026 at 13:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade fzf to version 0.73.1 or later.
  • If an upgrade cannot be performed immediately, avoid supplying input lines longer than roughly two million characters and patterns exceeding about nine hundred characters to reduce the chance of the overflow occurring.
  • Consider disabling fuzzy matching for untrusted or externally supplied data streams until a patch is applied.

Generated by OpenCVE AI on June 30, 2026 at 13:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

cvssV3_1

{'score': 5.0, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H'}

threat_severity

Moderate


Tue, 30 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 30 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
Description fzf is vulnerable to Integer Overflow leading to crash in FuzzyMatchV2 function. When input line length is approximately 2,200,000 bytes and pattern length is 999 bytes, the product overflows. The Go runtime detects the invalid slice bounds and terminates the process immediately with a non-recoverable panic. This issue was fixed in version 0.73.1.
Title Integer Overflow in fzf
Weaknesses CWE-190
References
Metrics cvssV4_0

{'score': 5.6, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: CERT-PL

Published:

Updated: 2026-06-30T15:58:16.427Z

Reserved: 2026-06-09T11:41:37.126Z

Link: CVE-2026-53432

cve-icon Vulnrichment

Updated: 2026-06-30T14:18:37.329Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-06-30T12:01:07Z

Links: CVE-2026-53432 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T13:30:13Z

Weaknesses
  • CWE-190

    Integer Overflow or Wraparound