Integer Overflow Vulnerability in fzf by Junegunn
CVE-2026-53432

5.6MEDIUM

Key Information:

Vendor: Fzf
Status: Fzf
Vendor: CVE Published:; 30 June 2026

What is CVE-2026-53432?

fzf, a command-line fuzzy finder, is susceptible to an integer overflow vulnerability in the FuzzyMatchV2 function. This occurs when the length of the input line reaches approximately 2,200,000 bytes combined with a pattern length of 999 bytes, causing an overflow. The Go runtime subsequently detects this anomaly, resulting in immediate termination of the process due to a non-recoverable panic. This issue has been resolved in version 0.73.1, emphasizing the importance of upgrading to secure versions to mitigate potential risks.

Affected Version(s)

fzf 32 bit 0 < 0.73.1

References

https://cert.pl/en/posts/2026/06/CVE-2026-53432

third-party-advisory

https://github.com/junegunn/fzf

product

https://github.com/junegunn/fzf/commit/ccedd064ca56921a42...

issue-tracking

CVSS V4

Score:

5.6

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 30, 2026
Vulnerability Reserved
Jun 9, 2026

Credit

Michał Majchrowicz (AFINE Team)

Marcin Wyczechowski (AFINE Team)

CVE-2026-53432 Data

JSON