CVE-2026-53432

UNKNOWN 0.0

Integer Overflow in fzf

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

fzf is vulnerable to Integer Overflow leading to crash in FuzzyMatchV2 function. When input line length is approximately 2,200,000 bytes and pattern length is 999 bytes, the product overflows. The Go runtime detects the invalid slice bounds and terminates the process immediately with a non-recoverable panic. This issue was fixed in version 0.73.1.

CWE	CWE-190
Vendor	fzf
Product	fzf
Published	Jun 30, 2026

Stay Ahead of the Next One

Get instant alerts for fzf fzf

Be the first to know when new unknown vulnerabilities affecting fzf fzf are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

fzf / fzf

0 < 0.73.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

cert.pl: https://cert.pl/en/posts/2026/06/CVE-2026-53432 github.com: https://github.com/junegunn/fzf github.com: https://github.com/junegunn/fzf/commit/ccedd064ca56921a4235219516b3d834f60e7b91

Credits

Michał Majchrowicz (AFINE Team) Marcin Wyczechowski (AFINE Team)