CVE-2008-4555
Description
Stack-based buffer overflow in Graphviz 2.20.2 and earlier allows arbitrary code execution via a crafted DOT file.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stack-based buffer overflow in Graphviz 2.20.2 and earlier allows arbitrary code execution via a crafted DOT file.
Vulnerability
A stack-based buffer overflow exists in the push_subg function in parser.y (lib/graph/parser.c) of Graphviz 2.20.2 and earlier. The vulnerability is triggered when processing a DOT file with a large number of Agraph_t elements. [1][2]
Exploitation
An attacker can exploit this vulnerability by enticing a user or automated system to open a specially crafted DOT file in an application using Graphviz. No authentication is required, but user interaction is necessary to open the file. [2]
Impact
Successful exploitation leads to memory corruption, potentially allowing arbitrary code execution or denial of service. The attacker gains the ability to execute arbitrary code with the privileges of the user running the application. [2]
Mitigation
A fix was released in Graphviz version 2.20.3. Gentoo users should upgrade to >=media-gfx/graphviz-2.20.3. No known workaround exists for earlier versions. [1][2]
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
46cpe:2.3:a:graphviz:graphviz:*:*:*:*:*:*:*:*+ 40 more
- cpe:2.3:a:graphviz:graphviz:*:*:*:*:*:*:*:*range: <=2.20.2
- cpe:2.3:a:graphviz:graphviz:1.10_2003-09-15_0415_1:*:*:*:*:*:*:*
- cpe:2.3:a:graphviz:graphviz:1.10_2003-09-15_0415_2:*:*:*:*:*:*:*
- cpe:2.3:a:graphviz:graphviz:1.12.1:*:*:*:*:*:*:*
- cpe:2.3:a:graphviz:graphviz:1.12.2:*:*:*:*:*:*:*
- cpe:2.3:a:graphviz:graphviz:1.12.3:*:*:*:*:*:*:*
- cpe:2.3:a:graphviz:graphviz:1.14.1:*:*:*:*:*:*:*
- cpe:2.3:a:graphviz:graphviz:1.16.1:*:*:*:*:*:*:*
- cpe:2.3:a:graphviz:graphviz:1.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:graphviz:graphviz:1.5.2:*:*:*:*:*:*:*
- cpe:2.3:a:graphviz:graphviz:1.5.3:*:*:*:*:*:*:*
- cpe:2.3:a:graphviz:graphviz:1.7.16.1:*:*:*:*:*:*:*
- cpe:2.3:a:graphviz:graphviz:1.7.16.2:*:*:*:*:*:*:*
- cpe:2.3:a:graphviz:graphviz:1.7.5_0.1:*:*:*:*:*:*:*
- cpe:2.3:a:graphviz:graphviz:1.7.5_0.2:*:*:*:*:*:*:*
- cpe:2.3:a:graphviz:graphviz:1.7.5_0.3:*:*:*:*:*:*:*
- cpe:2.3:a:graphviz:graphviz:1.7.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:graphviz:graphviz:1.7.5.2:*:*:*:*:*:*:*
- cpe:2.3:a:graphviz:graphviz:1.7.5.3:*:*:*:*:*:*:*
- cpe:2.3:a:graphviz:graphviz:1.7.5.4:*:*:*:*:*:*:*
- cpe:2.3:a:graphviz:graphviz:1.7.5.5:*:*:*:*:*:*:*
- cpe:2.3:a:graphviz:graphviz:1.7.5.6:*:*:*:*:*:*:*
- cpe:2.3:a:graphviz:graphviz:1.7.5.7:*:*:*:*:*:*:*
- cpe:2.3:a:graphviz:graphviz:1.8.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:graphviz:graphviz:1.8.5.2:*:*:*:*:*:*:*
- cpe:2.3:a:graphviz:graphviz:1.8.9.1:*:*:*:*:*:*:*
- cpe:2.3:a:graphviz:graphviz:2.10:*:*:*:*:*:*:*
- cpe:2.3:a:graphviz:graphviz:2.12:*:*:*:*:*:*:*
- cpe:2.3:a:graphviz:graphviz:2.14:*:*:*:*:*:*:*
- cpe:2.3:a:graphviz:graphviz:2.16:*:*:*:*:*:*:*
- cpe:2.3:a:graphviz:graphviz:2.18:*:*:*:*:*:*:*
- cpe:2.3:a:graphviz:graphviz:2.2:*:*:*:*:*:*:*
- cpe:2.3:a:graphviz:graphviz:2.20.0:*:*:*:*:*:*:*
- cpe:2.3:a:graphviz:graphviz:2.20.1:*:*:*:*:*:*:*
- cpe:2.3:a:graphviz:graphviz:2.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:graphviz:graphviz:2.2.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:graphviz:graphviz:2.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:graphviz:graphviz:2.4:*:*:*:*:*:*:*
- cpe:2.3:a:graphviz:graphviz:2.6:*:*:*:*:*:*:*
- cpe:2.3:a:graphviz:graphviz:2.8:*:*:*:*:*:*:*
- (no CPE)range: <=2.20.2
- osv-coords5 versionspkg:apk/chainguard/py3.10-graphvizpkg:apk/chainguard/py3.11-graphvizpkg:apk/chainguard/py3.12-graphvizpkg:apk/chainguard/py3.13-graphvizpkg:apk/chainguard/py3-graphviz
< 0+ 4 more
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
10- www.securityfocus.com/bid/31648nvdPatch
- roeehay.blogspot.com/2008/10/graphviz-buffer-overflow-code-execution.htmlnvdExploit
- secunia.com/advisories/32186nvdVendor Advisory
- bugs.gentoo.org/show_bug.cginvd
- lists.opensuse.org/opensuse-security-announce/2008-10/msg00012.htmlnvd
- secunia.com/advisories/32656nvd
- security.gentoo.org/glsa/glsa-200811-04.xmlnvd
- securityreason.com/securityalert/4409nvd
- www.securityfocus.com/archive/1/497150/100/0/threadednvd
- exchange.xforce.ibmcloud.com/vulnerabilities/45765nvd
News mentions
0No linked articles in our index yet.