{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-53432", "assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "state": "PUBLISHED", "assignerShortName": "CERT-PL", "dateReserved": "2026-06-09T11:41:37.126Z", "datePublished": "2026-06-30T12:01:07.027Z", "dateUpdated": "2026-06-30T15:58:16.427Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "platforms": ["32 bit"], "product": "fzf", "programFiles": ["src/algo/algo.go"], "programRoutines": [{"name": "FuzzyMatchV2"}], "repo": "https://github.com/junegunn/fzf", "vendor": "fzf", "versions": [{"lessThan": "0.73.1", "status": "affected", "version": "0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Micha\u0142 Majchrowicz (AFINE Team)"}, {"lang": "en", "type": "finder", "value": "Marcin Wyczechowski (AFINE Team)"}], "datePublic": "2026-06-30T12:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "fzf is vulnerable to&nbsp;<span style=\"background-color: rgb(255, 255, 255);\">Integer Overflow leading to crash in <i>FuzzyMatchV2</i> function. When input line length is&nbsp;<span style=\"background-color: rgb(255, 255, 255);\">approximately 2,200,000 bytes and pattern length is 999 bytes, the product&nbsp;</span><span style=\"background-color: rgb(255, 255, 255);\">overflows.&nbsp;</span><span style=\"background-color: rgb(255, 255, 255);\">The Go runtime detects the invalid slice bounds and terminates the&nbsp;</span><span style=\"background-color: rgb(255, 255, 255);\">process immediately with a non-recoverable panic.<br><br></span></span>This issue was fixed in version 0.73.1."}], "value": "fzf is vulnerable to\u00a0Integer Overflow leading to crash in FuzzyMatchV2 function. When input line length is\u00a0approximately 2,200,000 bytes and pattern length is 999 bytes, the product\u00a0overflows.\u00a0The Go runtime detects the invalid slice bounds and terminates the\u00a0process immediately with a non-recoverable panic.\n\nThis issue was fixed in version 0.73.1."}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "LOCAL", "baseScore": 5.6, "baseSeverity": "MEDIUM", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-190", "description": "CWE-190 Integer Overflow or Wraparound", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "shortName": "CERT-PL", "dateUpdated": "2026-06-30T12:01:07.027Z"}, "references": [{"tags": ["third-party-advisory"], "url": "https://cert.pl/en/posts/2026/06/CVE-2026-53432"}, {"tags": ["product"], "url": "https://github.com/junegunn/fzf"}, {"tags": ["issue-tracking"], "url": "https://github.com/junegunn/fzf/commit/ccedd064ca56921a4235219516b3d834f60e7b91"}], "source": {"discovery": "EXTERNAL"}, "tags": ["x_open-source"], "title": "Integer Overflow in fzf", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-06-30T14:18:33.486018Z", "id": "CVE-2026-53432", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-30T15:58:16.427Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-53432", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-06-30T14:18:33.486018Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-30T14:18:37.329Z"}}], "cna": {"tags": ["x_open-source"], "title": "Integer Overflow in fzf", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Micha\u0142 Majchrowicz (AFINE Team)"}, {"lang": "en", "type": "finder", "value": "Marcin Wyczechowski (AFINE Team)"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.6, "Automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "providerUrgency": "NOT_DEFINED", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/junegunn/fzf", "vendor": "fzf", "product": "fzf", "versions": [{"status": "affected", "version": "0", "lessThan": "0.73.1", "versionType": "semver"}], "platforms": ["32 bit"], "programFiles": ["src/algo/algo.go"], "defaultStatus": "unaffected", "programRoutines": [{"name": "FuzzyMatchV2"}]}], "datePublic": "2026-06-30T12:00:00.000Z", "references": [{"url": "https://cert.pl/en/posts/2026/06/CVE-2026-53432", "tags": ["third-party-advisory"]}, {"url": "https://github.com/junegunn/fzf", "tags": ["product"]}, {"url": "https://github.com/junegunn/fzf/commit/ccedd064ca56921a4235219516b3d834f60e7b91", "tags": ["issue-tracking"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "fzf is vulnerable to\u00a0Integer Overflow leading to crash in FuzzyMatchV2 function. When input line length is\u00a0approximately 2,200,000 bytes and pattern length is 999 bytes, the product\u00a0overflows.\u00a0The Go runtime detects the invalid slice bounds and terminates the\u00a0process immediately with a non-recoverable panic.\n\nThis issue was fixed in version 0.73.1.", "supportingMedia": [{"type": "text/html", "value": "fzf is vulnerable to&nbsp;<span style=\"background-color: rgb(255, 255, 255);\">Integer Overflow leading to crash in <i>FuzzyMatchV2</i> function. When input line length is&nbsp;<span style=\"background-color: rgb(255, 255, 255);\">approximately 2,200,000 bytes and pattern length is 999 bytes, the product&nbsp;</span><span style=\"background-color: rgb(255, 255, 255);\">overflows.&nbsp;</span><span style=\"background-color: rgb(255, 255, 255);\">The Go runtime detects the invalid slice bounds and terminates the&nbsp;</span><span style=\"background-color: rgb(255, 255, 255);\">process immediately with a non-recoverable panic.<br><br></span></span>This issue was fixed in version 0.73.1.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-190", "description": "CWE-190 Integer Overflow or Wraparound"}]}], "providerMetadata": {"orgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "shortName": "CERT-PL", "dateUpdated": "2026-06-30T12:01:07.027Z"}}}, "cveMetadata": {"cveId": "CVE-2026-53432", "state": "PUBLISHED", "dateUpdated": "2026-06-30T15:58:16.427Z", "dateReserved": "2026-06-09T11:41:37.126Z", "assignerOrgId": "4bb8329e-dd38-46c1-aafb-9bf32bcb93c6", "datePublished": "2026-06-30T12:01:07.027Z", "assignerShortName": "CERT-PL"}, "dataVersion": "5.2"}

{}

{}

{"created": "2026-06-30T13:30:13.608252+00:00", "updated": "2026-06-30T13:30:13.608259+00:00", "vendors": []}