Impact
fzf contains an integer overflow in the FuzzyMatchV2 function, which occurs when an input line length of around 2,200,000 bytes and a pattern length of 999 bytes are processed. The overflow causes the Go runtime to detect invalid slice bounds and terminate the process with a non‑recoverable panic, resulting in a crash without any further compromise of the system.
Affected Systems
The vulnerability affects the fzf fuzzy finder tool, all releases prior to version 0.73.1. Version 0.73.1 and later include a fix that prevents the overflow by correctly bounding calculations.
Risk and Exploitability
The CVSS score of 5.6 indicates moderate risk; the EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, suggesting no publicly documented exploits. Based on the description, the attack vector is local: an attacker can trigger the crash by supplying the rapidly crafted, very long input to a running instance of fzf, causing a denial of service but no remote code execution or data disclosure.
OpenCVE Enrichment