Description
Graphite before 1.3.15 has an integer underflow and resultant out-of-bounds write via Graphite actions, because slotat does not ensure that an offset is within the allowed slot-map range.
Published: 2026-06-05
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Graphite before version 1.3.15 contains an integer underflow in the slotat function, which may let an attacker supply a negative offset that bypasses the slot‑map boundary check. The resulting out‑of‑bounds write can overwrite adjacent memory supporting any subsequent exploit that uses the corrupted data, potentially leading to memory corruption, denial of service, or arbitrary code execution. The vulnerability is classified under CWE‑191. The description focuses on the unbounded write, but it does not detail whether the write is exploitable beyond corruption, so analysts should treat it as a high‑severity integrity risk.

Affected Systems

The Graphite project’s Graphite software is affected. All releases prior to 1.3.15 are vulnerable, including the 1.3.14 release identified in the source commit history. Systems running these versions should consider themselves at risk.

Risk and Exploitability

The CVSS score of 7.3 indicates a high severity with potential for significant impact. EPSS is not available, and the vulnerability is not listed in the CISA KEV catalogue. The likely attack vector is remote, as the flaw occurs in Graphite actions that can be invoked over the network. However, the brief description does not explicitly state the attack surface, so the exact requirements for exploitation remain ambiguous. Given the high severity and lack of mitigation, the risk is significant for exposed instances of Graphite before 1.3.15.

Generated by OpenCVE AI on June 5, 2026 at 04:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Graphite to version 1.3.15 or later to eliminate the integer underflow and out‑of‑bounds write flaw.
  • If an upgrade is not immediately feasible, restrict the Graphite actions endpoint to a trusted network or authenticated users only, limiting exposure to the flaw.
  • Monitor system logs for unusual memory writes or crashes that could indicate exploitation attempts, and apply additional input sanitization to offset parameters in the slotat function if possible.

Generated by OpenCVE AI on June 5, 2026 at 04:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 05 Jun 2026 05:00:00 +0000

Type Values Removed Values Added
Title Integer Underflow in Graphite Actions Enables Out‑of‑Bounds Write

Fri, 05 Jun 2026 03:30:00 +0000

Type Values Removed Values Added
Description Graphite before 1.3.15 has an integer underflow and resultant out-of-bounds write via Graphite actions, because slotat does not ensure that an offset is within the allowed slot-map range.
First Time appeared Graphite Project
Graphite Project graphite
Weaknesses CWE-191
CPEs cpe:2.3:a:graphite_project:graphite:*:*:*:*:*:*:*:*
Vendors & Products Graphite Project
Graphite Project graphite
References
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:H'}

Subscriptions

Graphite Project Graphite
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-05T18:22:18.882Z

Reserved: 2026-06-05T02:14:32.977Z

Link: CVE-2026-50593

cve-icon Vulnrichment

Updated: 2026-06-05T18:22:15.242Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-05T04:17:15.010

Modified: 2026-06-05T16:06:10.940

Link: CVE-2026-50593

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T05:45:32Z

Weaknesses