Severity by source
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Local vector with high complexity (specific ~2.2 MB line + ~999-byte pattern threshold required); user interaction needed; impact limited to availability only.
Primary rating from Vendor (CERT-PL).
CVSS VectorVendor: CERT-PL
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
fzf is vulnerable to Integer Overflow leading to crash in FuzzyMatchV2 function. When input line length is approximately 2,200,000 bytes and pattern length is 999 bytes, the product overflows. The Go runtime detects the invalid slice bounds and terminates the process immediately with a non-recoverable panic.
This issue was fixed in version 0.73.1.
AnalysisAI
Integer overflow in fzf's FuzzyMatchV2 function causes a non-recoverable process crash (denial of service) when input lines reach approximately 2,200,000 bytes and a search pattern of ~999 bytes is active. The Go runtime detects the resulting invalid slice bounds and immediately terminates the process with a panic - there is no recovery path and no possibility of memory corruption or code execution. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires two simultaneous size conditions: the input line fed to fzf must be approximately 2,200,000 bytes or longer, and the active search pattern must be approximately 999 bytes in length. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector (AV:L/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N, score 5.6) accurately characterises the risk envelope. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A user or automated script pipes a data source containing lines of approximately 2,200,000 bytes or more into fzf while searching with a pattern close to 999 bytes in length - for example, querying a very large log file or a corpus of minified source code. FuzzyMatchV2 overflows an integer during slice-bound computation, the Go runtime detects the invalid index, and fzf terminates immediately with a panic, disrupting the interactive session or causing a script that depends on fzf's exit status to fail unexpectedly. … |
| Remediation | Upgrade fzf to version 0.73.1 or later, which contains the fix introduced in commit ccedd064ca56921a4235219516b3d834f60e7b91 at https://github.com/junegunn/fzf. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-190 – Integer Overflow or Wraparound
View allSame technique Integer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40302
GHSA-rrf5-grxg-q8mm