CVE-2026-53432

NameCVE-2026-53432
Descriptionfzf is vulnerable to Integer Overflow leading to crash in FuzzyMatchV2 function. When input line length is approximately 2,200,000 bytes and pattern length is 999 bytes, the product overflows. The Go runtime detects the invalid slice bounds and terminates the process immediately with a non-recoverable panic. This issue was fixed in version 0.73.1.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
fzf (PTS)bullseye0.24.3-1vulnerable
bookworm0.38.0-1vulnerable
trixie0.60.3-1vulnerable
forky, sid0.73.1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
fzfsource(unstable)0.73.1-1

Notes

Fixed by: https://github.com/junegunn/fzf/commit/ccedd064ca56921a4235219516b3d834f60e7b91 (v0.73.0)

Search for package or bug name: Reporting problems