Full Report
CERT Polska has received a report about 2 vulnerabilities (CVE-2026-53432 and CVE-2026-53433) found in fzf software.
Analysis Summary
# Vulnerability: Multiple Denial of Service Flaws in fzf
## CVE Details
- **CVE ID:** CVE-2026-53432 & CVE-2026-53433
- **CVSS Score:** Not explicitly provided in the source (Estimated: Medium to High)
- **CWE:** CWE-190 (Integer Overflow or Wraparound), CWE-407 (Inefficient Algorithmic Complexity)
## Affected Systems
- **Products:** fzf (command-line fuzzy finder)
- **Versions:** All versions prior to 0.73.1
- **Configurations:**
- CVE-2026-53432 affects standard fuzzy matching operations.
- CVE-2026-53433 impacts instances running in `--listen` mode (HTTP server).
## Vulnerability Description
The fzf software is subject to two distinct vulnerabilities that lead to Denial of Service (DoS):
1. **CVE-2026-53432 (Integer Overflow):** A flaw exists in the `FuzzyMatchV2` function. When processing a specific combination of input (approx. 2.2 million bytes) and search patterns (999 bytes), an integer overflow occurs. This triggers an invalid slice bounds error in the Go runtime, resulting in a non-recoverable panic and immediate process termination.
2. **CVE-2026-53433 (Algorithmic Complexity):** When fzf is utilized in `--listen` mode, it uses inefficient HTTP body processing. The application performs repeated string concatenation on incoming POST requests, leading to quadratic time complexity ($O(n^2)$).
## Exploitation
- **Status:** Reported via coordinated disclosure; PoC details described in the advisory.
- **Complexity:** Low
- **Attack Vector:**
- **Local/Pipe:** For CVE-2026-53432, by providing overly long input strings and patterns.
- **Network:** For CVE-2026-53433, via a crafted POST request to the fzf HTTP listener.
## Impact
- **Confidentiality:** None
- **Integrity:** None
- **Availability:** High (The application crashes or becomes unresponsive/monopolizes CPU resources).
## Remediation
### Patches
- Users should upgrade to **fzf version 0.73.1** or later.
### Workarounds
- **Disable `--listen` mode:** If the HTTP server functionality is not required, disabling the `--listen` flag mitigates CVE-2026-53433.
- **Restrict Input:** Sanitize or limit the length of input strings and search patterns passed to fzf in automated scripts.
## Detection
- **Indicators of Compromise:** Excessive CPU usage by the `fzf` process when in listen mode or unexpected "panic: runtime error: slice bounds out of range" logs in Go environments.
- **Detection methods:** Monitor for unusually large POST requests directed at the fzf listener port.
## References
- **CERT Polska Advisory:** hxxps://cert[.]pl/en/posts/2026/06/vulnerabilities-in-fzf-software/
- **CVE-2026-53432:** hxxps://www[.]cve[.]org/CVERecord?id=CVE-2026-53432
- **CVE-2026-53433:** hxxps://www[.]cve[.]org/CVERecord?id=CVE-2026-53433
- **CVD Policy:** hxxps://cert[.]pl/en/cvd/