Skip to main content

Graphite EUVDEUVD-2026-34784

| CVE-2026-50593 HIGH
Integer Underflow (CWE-191)
2026-06-05 mitre GHSA-3mqg-485v-x9g7
7.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.3 HIGH
AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:H
SUSE
7.1 HIGH
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
High

Lifecycle Timeline

3
Patch available
Jun 05, 2026 - 05:00 EUVD
Source Code Evidence Fetched
Jun 05, 2026 - 03:45 vuln.today
Analysis Generated
Jun 05, 2026 - 03:45 vuln.today

DescriptionCVE.org

Graphite before 1.3.15 has an integer underflow and resultant out-of-bounds write via Graphite actions, because slotat does not ensure that an offset is within the allowed slot-map range.

AnalysisAI

Out-of-bounds write in the SIL Graphite smart-font rendering engine before 1.3.15 allows attackers to corrupt memory by supplying a malicious font file that triggers an integer underflow in the slotat macro. Exploitation requires a victim to render attacker-controlled font content in an application that embeds Graphite (such as Firefox, LibreOffice, or Pango-based renderers), and no public exploit has been identified at time of analysis.

Technical ContextAI

Graphite (cpe:2.3:a:graphite_project:graphite) is SIL International's smart-font rendering library used to shape complex scripts; it is embedded in Mozilla Firefox/Thunderbird, LibreOffice, XeTeX, and Pango. The flaw is a CWE-191 (Integer Underflow) in the slotat(x) macro defined in src/inc/opcodes.h, which previously dereferenced map[(x)] without verifying that the resulting pointer fell within the slot-map (smap) bounds. When Graphite bytecode actions pass a negative or oversized offset, pointer arithmetic underflows and the engine writes outside the allocated slot map, producing the out-of-bounds write. The upstream fix at commit ad78c6b adds an explicit bounds check (map + x >= &smap[-1] && map + x < smap.end()) and sets a slot_offset_out_bounds machine status when the check fails.

RemediationAI

Upgrade SIL Graphite to version 1.3.15 or later, which contains the bounds-checked slotat macro from commit ad78c6b7319909e1540c1b134e115ced03417866 (see https://github.com/silnrsi/graphite/compare/1.3.14...1.3.15). Operators of applications that bundle Graphite (Firefox, Thunderbird, LibreOffice, Pango/libgraphite2 packages) should track and apply the corresponding vendor updates as they rebuild against 1.3.15. As a compensating control until patching, disable Graphite font shaping where the host application exposes a toggle - for example, set gfx.font_rendering.graphite.enabled to false in Firefox's about:config, which prevents loading the vulnerable code path at the cost of incorrect rendering for complex scripts (Burmese, N'Ko, SIL test fonts); environments that do not need such scripts can leave this disabled permanently. Additionally, restrict untrusted document and web font sources via Content-Security-Policy font-src directives or by stripping embedded fonts from inbound documents at the gateway, accepting reduced fidelity for legitimate content that relies on custom fonts.

Vendor StatusVendor

SUSE

Severity: Important
Product Status
Container suse/sl-micro/6.0/base-os-container:latest Container suse/sl-micro/6.0/toolbox:latest Image SLE-Micro Image SLE-Micro-Azure Image SLE-Micro-BYOS Image SLE-Micro-BYOS-Azure Image SLE-Micro-BYOS-EC2 Image SLE-Micro-BYOS-GCE Image SLE-Micro-EC2 Image SLE-Micro-GCE Affected
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS Affected
SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS Affected

Share

EUVD-2026-34784 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy