Funny enough that tools like graphviz qualify for CVE assignments :) Do not get me wrong, I really like graphviz, its a great tool and I use it myself; but probably like 2 scientists or 1 anti-terror fed plotting his graphs in the whole world would be targeted attacked using dot files sent via mail I guess. Seems like the initial fix: https://github.com/ellson/graphviz/commit/7aaddf52cd98589fb0c3ab72a393f8411838438a also contains a sprintf() which is also later removed by commit d266bb2b4154d11c27252b56d86963aef4434750 just for safety reasons. And finally there also is: /* chkNum: * The regexp for NUMBER allows a terminating letter. * This way we can catch a number immediately followed by a name * and report this to the user. */ static int chkNum(void) { unsigned char c = (unsigned char)yytext[yyleng-1]; /* last character */ if (!isdigit(c) && (c != '.')) { /* c is letter */ char buf[BUFSIZ]; sprintf(buf,"syntax error - badly formed number '%s' in line %d of %s\n",yytext,line_num, InputFile); strcat (buf, "splits into two name tokens\n"); agerr(AGWARN,buf); return 1; } else return 0; } which also looks like a buffer overflow from user input; yet unfixed. (the regex seems to accept arbitrary long digit list) So for the 3 potential victims, we need to fix that too :) Sebastian