CVE-2026-50593: Graphite before 1
Graphite before 1.3.15 has an integer underflow and resultant out-of-bounds write via Graphite actions, because slotat does not ensure that an offset is within the allowed slot-map range.
Metrics
- CVSS v3.1
- 7.3
- Severity
- HIGH
- Fixed in
- 1.3.15
- Affected Products
- 1
HarborGuard Analysis
Synopsis
An integer underflow leading to an out-of-bounds write affects Graphite versions before 1.3.15. The flaw is triggered locally and requires a user to interact with a malicious file or input, but no authentication is needed. Successful exploitation gives an attacker the ability to corrupt memory, tamper with data, and crash the affected process, with potential for arbitrary code execution. A patched-image rebuild at version 1.3.15 is available on HarborGuard for environments running an affected version.
HarborGuard Coverage
Detection for CVE-2026-50593 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle Graphite as a dependency.
AvailableHarborGuard scores this finding at CVSS 7.3 (HIGH) and weights it against each environment's compliance policy, then routes the alert to the appropriate team inbox within each customer organization.
AvailableA patched-image rebuild pinned to Graphite 1.3.15 becomes available through HarborGuard as soon as the fix version is confirmed. For customers who opt into auto-remediation, HarborGuard runs a regression test suite against the rebuilt image and opens a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network exposure is required to trigger the vulnerability.
- AuthenticationNot required
No account or credentials are required; the attacker can trigger the flaw without authenticating to any service.
- Victim interactionRequired
A user on the target system must open or process a crafted file or input that exercises the vulnerable Graphite code path.
- Attack complexityDetail
The exploit is reliable and condition-free once the victim interacts with the malicious input; no race conditions or special environment configuration are needed.
Blast Radius
- Writes arbitrary data outside the intended slot-map buffer, corrupting adjacent memory regions.
- Modifies or destroys data held in the affected process, including any in-memory state being processed at the time.
- Crashes the affected application or service, causing a denial of service for any workload depending on Graphite rendering.
- In the worst case, controlled out-of-bounds writes can be leveraged to redirect execution flow and run attacker-supplied code within the process context.
How HarborGuard Handles This
Available on HarborGuard: any image containing Graphite below 1.3.15 is flagged immediately upon scan, and a rebuild at the patched version is made available for deployment. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs regression tests, and opens a pull request against affected workloads; for HIGH-severity issues, the median time from CVE publication to a merged patch PR in auto-remediation environments is around 90 minutes. Where compliance policy requires manual approval, the finding is routed to the designated team inbox with the CVSS score and affected image list attached. Because victim interaction is required to trigger the flaw, teams that cannot patch immediately should consider restricting which users or processes can supply Graphite input data as a compensating control.
Fix available
- Graphite project / Graphite< 1.3.15 (from 0)
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:H