GHSA-rrf5-grxg-q8mm · Severity: medium — fzf is vulnerable to Integer Overflow leading to crash in FuzzyMatchV2 function. When input line...
fzf is vulnerable to Integer Overflow leading to crash in FuzzyMatchV2 function. When input line length is approximately 2,200,000 bytes and pattern length is 999 bytes, the product overflows. The Go runtime detects the invalid slice bounds and terminates the process immediately with a non-recoverable panic. This issue was fixed in version 0.73.1.
Conclusion & alert: CVE-2026-53432 is rated Low Risk (27.9/100): CVSS Medium severity, with low exploitation likelihood (EPSS 0.24%). Mandatory action: Monitor for updates and reassess as exploit intelligence or EPSS changes.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-07-03 | 0.14% | 0.24% | +0.10% |
| 2 | 2026-07-01 | — | 0.14% | — |
Full EPSS history (2 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 5.6 | 4.0 | MEDIUM |
|
— | — | [email protected] |
| 7.5 | 3.1 | HIGH |
|
3.9 | 3.6 | [email protected] |
GHSA-rrf5-grxg-q8mm · Severity: medium — fzf is vulnerable to Integer Overflow leading to crash in FuzzyMatchV2 function. When input line...
| vendor | priority | summary | link |
|---|---|---|---|
debian
|
unimportant | CVE-2026-53432 unimportant priority: Debian including 1 source packages (fzf), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): open 3, resolved 2. | https://security-tracker.debian.org/tracker/CVE-2026-53432 |
redhat
|
medium | — | https://access.redhat.com/security/cve/CVE-2026-53432 |
ubuntu
|
medium | CVE-2026-53432 medium priority: Ubuntu including 1 source packages (fzf), 6 status rows across 6 suites (focal, jammy, noble, questing, resolute, upstream): needs-triage 5, released 1. | https://ubuntu.com/security/CVE-2026-53432 |
| URL | Tags |
|---|---|
| https://cert.pl/en/posts/2026/06/CVE-2026-53432 | Third Party Advisory |
| https://github.com/junegunn/fzf | Product |
| https://github.com/junegunn/fzf/commit/ccedd064ca56921a4235219516b3d834f60e7b91 | Patch |