Versions mentioned in the description apply to the upstream
Remediation section below for
Debian:9 relevant versions.
NULL pointer dereference vulnerability in the rebuild_vlists function in lib/dotgen/conc.c in the dotgen library in Graphviz 2.40.1 allows remote attackers to cause a denial of service (application crash) via a crafted file.
graphviz to version 2.38.0-17+deb9u1 or higher.