CVE Catalog

CVE-2026-53432

HighCVSS 7.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.24%

15th percentile — higher than 15% of all known CVEs

Summary

An integer overflow vulnerability was discovered in the fzf tool within the FuzzyMatchV2 function. When the input line length is approximately 2,200,000 bytes and the pattern length is 999 bytes, an overflow occurs, leading to invalid slice bounds. The Go runtime detects this and immediately terminates the process with a non-recoverable panic.

Risk Assessment

An attacker can deliberately provide malicious input, causing a crash of the application using fzf, resulting in a denial of service (DoS). The vulnerability can be exploited remotely if the application processes user-supplied data.

Recommendation

Immediately update fzf to version 0.73.1 or later, which contains the fix. If an update is not possible, restrict the length of processed input lines and patterns.

Original NVD description (English source)

fzf is vulnerable to Integer Overflow leading to crash in FuzzyMatchV2 function. When input line length is approximately 2,200,000 bytes and pattern length is 999 bytes, the product overflows. The Go runtime detects the invalid slice bounds and terminates the process immediately with a non-recoverable panic. This issue was fixed in version 0.73.1.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS