Bug 2494892 (CVE-2026-53432) - CVE-2026-53432 github.com/junegunn/fzf: fzf: Denial of Service via Integer Overflow in FuzzyMatchV2 function
Summary: CVE-2026-53432 github.com/junegunn/fzf: fzf: Denial of Service via Integer Ov...
Keywords:
Status: NEW
Alias: CVE-2026-53432
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2494938 2494939
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-06-30 13:09 UTC by OSIDB Bzimport
Modified: 2026-06-30 14:20 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2026-06-30 13:09:41 UTC
fzf is vulnerable to Integer Overflow leading to crash in FuzzyMatchV2 function. When input line length is approximately 2,200,000 bytes and pattern length is 999 bytes, the product overflows. The Go runtime detects the invalid slice bounds and terminates the process immediately with a non-recoverable panic.

This issue was fixed in version 0.73.1.


Note You need to log in before you can comment on or make changes to this bug.