CVE-2026-53432 (GCVE-0-2026-53432)

Vulnerability from cvelistv5 – Published: 2026-06-30 12:01 – Updated: 2026-06-30 15:58 X_Open Source
VLAI
Title
Integer Overflow in fzf
Summary
fzf is vulnerable to Integer Overflow leading to crash in FuzzyMatchV2 function. When input line length is approximately 2,200,000 bytes and pattern length is 999 bytes, the product overflows. The Go runtime detects the invalid slice bounds and terminates the process immediately with a non-recoverable panic. This issue was fixed in version 0.73.1.
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-190 - Integer Overflow or Wraparound
Assigner
Impacted products
Vendor Product Version
fzf fzf Affected: 0 , < 0.73.1 (semver)
Create a notification for this product.
Date Public
2026-06-30 12:00
Credits
Michał Majchrowicz (AFINE Team) Marcin Wyczechowski (AFINE Team)
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-53432",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-30T14:18:33.486018Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-30T15:58:16.427Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "32 bit"
          ],
          "product": "fzf",
          "programFiles": [
            "src/algo/algo.go"
          ],
          "programRoutines": [
            {
              "name": "FuzzyMatchV2"
            }
          ],
          "repo": "https://github.com/junegunn/fzf",
          "vendor": "fzf",
          "versions": [
            {
              "lessThan": "0.73.1",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Micha\u0142 Majchrowicz (AFINE Team)"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Marcin Wyczechowski (AFINE Team)"
        }
      ],
      "datePublic": "2026-06-30T12:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "fzf is vulnerable to\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eInteger Overflow leading to crash in \u003ci\u003eFuzzyMatchV2\u003c/i\u003e function. When input line length is\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eapproximately 2,200,000 bytes and pattern length is 999 bytes, the product\u0026nbsp;\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eoverflows.\u0026nbsp;\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eThe Go runtime detects the invalid slice bounds and terminates the\u0026nbsp;\u003c/span\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eprocess immediately with a non-recoverable panic.\u003cbr\u003e\u003cbr\u003e\u003c/span\u003e\u003c/span\u003eThis issue was fixed in version 0.73.1."
            }
          ],
          "value": "fzf is vulnerable to\u00a0Integer Overflow leading to crash in FuzzyMatchV2 function. When input line length is\u00a0approximately 2,200,000 bytes and pattern length is 999 bytes, the product\u00a0overflows.\u00a0The Go runtime detects the invalid slice bounds and terminates the\u00a0process immediately with a non-recoverable panic.\n\nThis issue was fixed in version 0.73.1."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "LOCAL",
            "baseScore": 5.6,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "ACTIVE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-190",
              "description": "CWE-190 Integer Overflow or Wraparound",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-30T12:01:07.027Z",
        "orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
        "shortName": "CERT-PL"
      },
      "references": [
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://cert.pl/en/posts/2026/06/CVE-2026-53432"
        },
        {
          "tags": [
            "product"
          ],
          "url": "https://github.com/junegunn/fzf"
        },
        {
          "tags": [
            "issue-tracking"
          ],
          "url": "https://github.com/junegunn/fzf/commit/ccedd064ca56921a4235219516b3d834f60e7b91"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "tags": [
        "x_open-source"
      ],
      "title": "Integer Overflow in fzf",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6",
    "assignerShortName": "CERT-PL",
    "cveId": "CVE-2026-53432",
    "datePublished": "2026-06-30T12:01:07.027Z",
    "dateReserved": "2026-06-09T11:41:37.126Z",
    "dateUpdated": "2026-06-30T15:58:16.427Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-53432",
      "date": "2026-07-04",
      "epss": "0.00243",
      "percentile": "0.15429"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-53432\",\"sourceIdentifier\":\"cvd@cert.pl\",\"published\":\"2026-06-30T13:19:13.290\",\"lastModified\":\"2026-07-02T19:01:11.827\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"fzf is vulnerable to\u00a0Integer Overflow leading to crash in FuzzyMatchV2 function. When input line length is\u00a0approximately 2,200,000 bytes and pattern length is 999 bytes, the product\u00a0overflows.\u00a0The Go runtime detects the invalid slice bounds and terminates the\u00a0process immediately with a non-recoverable panic.\\n\\nThis issue was fixed in version 0.73.1.\"}],\"affected\":[{\"source\":\"cvd@cert.pl\",\"affectedData\":[{\"vendor\":\"fzf\",\"product\":\"fzf\",\"defaultStatus\":\"unaffected\",\"platforms\":[\"32 bit\"],\"programFiles\":[\"src/algo/algo.go\"],\"programRoutines\":[{\"name\":\"FuzzyMatchV2\"}],\"repo\":\"https://github.com/junegunn/fzf\",\"versions\":[{\"version\":\"0\",\"lessThan\":\"0.73.1\",\"versionType\":\"semver\",\"status\":\"affected\"}]}]}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"cvd@cert.pl\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":5.6,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"PRESENT\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"ACTIVE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"HIGH\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}],\"ssvcV203\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"ssvcData\":{\"timestamp\":\"2026-06-30T14:18:33.486018Z\",\"id\":\"CVE-2026-53432\",\"options\":[{\"exploitation\":\"none\"},{\"automatable\":\"no\"},{\"technicalImpact\":\"partial\"}],\"role\":\"CISA Coordinator\",\"version\":\"2.0.3\"}}]},\"weaknesses\":[{\"source\":\"cvd@cert.pl\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-190\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:junegunn:fzf:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"0.73.1\",\"matchCriteriaId\":\"1B9C3708-1223-421E-9641-DABD4A023A81\"}]}]}],\"references\":[{\"url\":\"https://cert.pl/en/posts/2026/06/CVE-2026-53432\",\"source\":\"cvd@cert.pl\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/junegunn/fzf\",\"source\":\"cvd@cert.pl\",\"tags\":[\"Product\"]},{\"url\":\"https://github.com/junegunn/fzf/commit/ccedd064ca56921a4235219516b3d834f60e7b91\",\"source\":\"cvd@cert.pl\",\"tags\":[\"Patch\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-53432\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-06-30T14:18:33.486018Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-06-30T14:18:37.329Z\"}}], \"cna\": {\"tags\": [\"x_open-source\"], \"title\": \"Integer Overflow in fzf\", \"source\": {\"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Micha\\u0142 Majchrowicz (AFINE Team)\"}, {\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Marcin Wyczechowski (AFINE Team)\"}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"NOT_DEFINED\", \"baseScore\": 5.6, \"Automatable\": \"NOT_DEFINED\", \"attackVector\": \"LOCAL\", \"baseSeverity\": \"MEDIUM\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N\", \"providerUrgency\": \"NOT_DEFINED\", \"userInteraction\": \"ACTIVE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"PRESENT\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"NONE\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"repo\": \"https://github.com/junegunn/fzf\", \"vendor\": \"fzf\", \"product\": \"fzf\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"0.73.1\", \"versionType\": \"semver\"}], \"platforms\": [\"32 bit\"], \"programFiles\": [\"src/algo/algo.go\"], \"defaultStatus\": \"unaffected\", \"programRoutines\": [{\"name\": \"FuzzyMatchV2\"}]}], \"datePublic\": \"2026-06-30T12:00:00.000Z\", \"references\": [{\"url\": \"https://cert.pl/en/posts/2026/06/CVE-2026-53432\", \"tags\": [\"third-party-advisory\"]}, {\"url\": \"https://github.com/junegunn/fzf\", \"tags\": [\"product\"]}, {\"url\": \"https://github.com/junegunn/fzf/commit/ccedd064ca56921a4235219516b3d834f60e7b91\", \"tags\": [\"issue-tracking\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"fzf is vulnerable to\\u00a0Integer Overflow leading to crash in FuzzyMatchV2 function. When input line length is\\u00a0approximately 2,200,000 bytes and pattern length is 999 bytes, the product\\u00a0overflows.\\u00a0The Go runtime detects the invalid slice bounds and terminates the\\u00a0process immediately with a non-recoverable panic.\\n\\nThis issue was fixed in version 0.73.1.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"fzf is vulnerable to\u0026nbsp;\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003eInteger Overflow leading to crash in \u003ci\u003eFuzzyMatchV2\u003c/i\u003e function. When input line length is\u0026nbsp;\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003eapproximately 2,200,000 bytes and pattern length is 999 bytes, the product\u0026nbsp;\u003c/span\u003e\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003eoverflows.\u0026nbsp;\u003c/span\u003e\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003eThe Go runtime detects the invalid slice bounds and terminates the\u0026nbsp;\u003c/span\u003e\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003eprocess immediately with a non-recoverable panic.\u003cbr\u003e\u003cbr\u003e\u003c/span\u003e\u003c/span\u003eThis issue was fixed in version 0.73.1.\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-190\", \"description\": \"CWE-190 Integer Overflow or Wraparound\"}]}], \"providerMetadata\": {\"orgId\": \"4bb8329e-dd38-46c1-aafb-9bf32bcb93c6\", \"shortName\": \"CERT-PL\", \"dateUpdated\": \"2026-06-30T12:01:07.027Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-53432\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-06-30T15:58:16.427Z\", \"dateReserved\": \"2026-06-09T11:41:37.126Z\", \"assignerOrgId\": \"4bb8329e-dd38-46c1-aafb-9bf32bcb93c6\", \"datePublished\": \"2026-06-30T12:01:07.027Z\", \"assignerShortName\": \"CERT-PL\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…