Name CVE-2026-50593 Description Graphite before 1.3.15 has an integer underflow and resultant out-of-bounds write via Graphite actions, because slotat does not ensure that an offset is within the allowed slot-map range. Source CVE (at NVD ; CERT , ENISA , LWN , oss-sec , fulldisc , Debian ELTS , Red Hat , Ubuntu , Gentoo , SUSE bugzilla /CVE , GitHub advisories /code /issues , web search , more )
Vulnerable and fixed packages The table below lists information on source packages.
Source Package Release Version Status graphite2 (PTS )bookworm, bullseye 1.3.14-1 vulnerable trixie 1.3.14-2 vulnerable forky, sid 1.3.15-2 fixed
The information below is based on the following data on fixed versions.
Package Type Release Fixed Version Urgency Origin Debian Bugs graphite2 source (unstable) 1.3.15-2
Notes [trixie] - graphite2 <no-dsa> (Minor issue; can be fixed via point release) [bookworm] - graphite2 <no-dsa> (Minor issue; can be fixed via point release) [bullseye] - graphite2 <postponed> (Minor issue) https://github.com/silnrsi/graphite/commit/ad78c6b7319909e1540c1b134e115ced03417866 (1.3.15)