UBUNTU-CVE-2026-53432

Source
https://ubuntu.com/security/CVE-2026-53432
Import Source
https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-53432.json
JSON Data
https://api.osv.dev/v1/vulns/UBUNTU-CVE-2026-53432
Upstream
Published
2026-06-30T13:19:00Z
Modified
2026-07-03T21:45:17.460958827Z
Severity
  • 5.6 (Medium) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
  • Ubuntu - medium
Summary
[none]
Details

fzf is vulnerable to Integer Overflow leading to crash in FuzzyMatchV2 function. When input line length is approximately 2,200,000 bytes and pattern length is 999 bytes, the product overflows. The Go runtime detects the invalid slice bounds and terminates the process immediately with a non-recoverable panic. This issue was fixed in version 0.73.1.

References

Affected packages

Ubuntu:20.04:LTS / fzf

Package

Name
fzf
Purl
pkg:deb/ubuntu/fzf?arch=source&distro=focal

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

0.*
0.18.0-2
0.18.0-3
0.19.0-1
0.20.0-1
0.20.0-1ubuntu0.1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "fzf",
            "binary_version": "0.20.0-1ubuntu0.1"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-53432.json"

Ubuntu:22.04:LTS / fzf

Package

Name
fzf
Purl
pkg:deb/ubuntu/fzf?arch=source&distro=jammy

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

0.*
0.24.3-1
0.29.0-1
0.29.0-1ubuntu0.1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "fzf",
            "binary_version": "0.29.0-1ubuntu0.1"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-53432.json"

Ubuntu:24.04:LTS / fzf

Package

Name
fzf
Purl
pkg:deb/ubuntu/fzf?arch=source&distro=noble

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

0.*
0.42.0-1build1
0.44.1-1
0.44.1-1ubuntu0.1
0.44.1-1ubuntu0.2
0.44.1-1ubuntu0.3

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "fzf",
            "binary_version": "0.44.1-1ubuntu0.3"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-53432.json"

Ubuntu:25.10 / fzf

Package

Name
fzf
Purl
pkg:deb/ubuntu/fzf?arch=source&distro=questing

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

0.*
0.60.3-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "fzf",
            "binary_version": "0.60.3-1"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-53432.json"

Ubuntu:26.04:LTS / fzf

Package

Name
fzf
Purl
pkg:deb/ubuntu/fzf?arch=source&distro=resolute

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

0.*
0.60.3-1
0.66.0-1
0.67.0-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "fzf",
            "binary_version": "0.67.0-1"
        }
    ]
}

Database specific

source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-53432.json"