GNU LibreDWG CVE-2026-9605
MEDIUMSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Primary rating from NVD.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionCVE.org
A flaw has been found in GNU libredwg up to 0.13.4.8160. This issue affects the function bit_read_RC of the file bits.c of the component Dwgbmp Utility. This manipulation causes heap-based buffer overflow. The attack is possible to be carried out remotely. The exploit has been published and may be used. Patch name: 8f03865f37f5d4ffd616fef802acc980be54d300. Applying a patch is the recommended action to fix this issue.
AnalysisAI
Heap-based buffer overflow in GNU LibreDWG through version 0.13.4.8160 lets an attacker corrupt heap memory by getting the library to parse a malicious DWG file, specifically a 2004-format file with a crafted compressed section processed via the dwgbmp thumbnail-extraction utility. The flaw stems from missing bounds validation in the decompression routine and is reachable without authentication or user privileges per its CVSS vector; impact is rated low across confidentiality, integrity, and availability (CVSS 7.3). Publicly available exploit code exists (a proof-of-concept DWG sample), but the issue is not listed in CISA KEV, and an official upstream fix has been committed.
Technical ContextAI
LibreDWG is GNU's C library for reading and writing AutoCAD DWG CAD files, used by tools such as dwgbmp (which extracts the embedded BMP/preview thumbnail from a DWG). The vulnerability is a CWE-122 heap-based buffer overflow. While the advisory text attributes the bug to the byte-reading primitive bit_read_RC in src/bits.c, the published fix actually lands in read_2004_compressed_section in src/decode.c, where the patch adds bounds checks (es.fields.address > max_decomp_size and es.fields.address + size > dec.size) before writing decompressed section data. This indicates the root cause is an unchecked attacker-controlled offset/size from the DWG R2004 compressed-section header that drives an out-of-bounds heap access during decompression, consistent with the exploit sample named 'heap_oob_write_read_2004_compressed_section'. The affected component is identified by CPE cpe:2.3:a:gnu:libredwg:*:*:*:*:*:*:*:* covering all versions up to 0.13.4.8160.
RemediationAI
Upstream fix available (commit 8f03865f37f5d4ffd616fef802acc980be54d300); released patched version not independently confirmed - rebuild LibreDWG from a source tree that includes this commit (https://github.com/LibreDWG/libredwg/commit/8f03865f37f5d4ffd616fef802acc980be54d300), or upgrade to the first packaged release incorporating it once your distribution ships one. Until you can deploy the patched build, the most effective compensating control is to avoid processing untrusted DWG files with vulnerable LibreDWG tooling: do not run dwgbmp (or other LibreDWG consumers) against files from unverified sources, since the bug is triggered specifically by malicious R2004 compressed-section content. If LibreDWG runs as part of an automated/service pipeline, restrict it to trusted inputs and sandbox the parser (e.g., run under a restricted, low-privilege account or container with no network and minimal filesystem access) so heap corruption cannot escalate beyond the parsing process; the trade-off is added operational complexity and the loss of automated thumbnail/conversion of externally supplied DWGs. Refer to the VulDB advisory (https://vuldb.com/vuln/365678) and upstream issue #1248 for tracking.
LibreDWG v0.12.4.4608 & commit f2dea29 was discovered to contain a heap use-after-free via bit_copy_chain. Rated critica
LibreDWG v0.12.3 was discovered to contain a heap-buffer overflow via decode_preR13. Rated critical severity (CVSS 9.8),
GNU LibreDWG 0.10 is affected by: memcpy-param-overlap. Rated high severity (CVSS 8.8), this vulnerability is remotely e
An issue was discovered in GNU LibreDWG 0.7 and 0.7.1645. Rated critical severity (CVSS 9.1), this vulnerability is remo
An issue was discovered in GNU LibreDWG 0.7 and 0.7.1645. Rated critical severity (CVSS 9.1), this vulnerability is remo
A heap based buffer overflow vulnerability exits in GNU LibreDWG 0.10 via: read_2004_section_classes ../../src/decode.c:
A heap based buffer overflow vulnerability exits in GNU LibreDWG 0.10 via bit_read_B ../../src/bits.c:135. Rated high se
A heap based buffer overflow vulnerability exits in GNU LibreDWG 0.10 via bit_search_sentinel ../../src/bits.c:1985. Rat
A heap based buffer overflow vulnerability exits in GNU LibreDWG 0.10 via: read_2004_section_appinfo ../../src/decode.c:
A heap based buffer overflow vulnerability exits in GNU LibreDWG 0.10 via bit_read_RC ../../src/bits.c:318. Rated high s
A heap based buffer overflow vulnerability exists in GNU LibreDWG 0.10 via read_2004_section_revhistory ../../src/decode
A heap based buffer overflow vulnerability exists in GNU LibreDWG 0.10 via read_2004_compressed_section ../../src/decode
Same weakness CWE-122 – Heap-based Buffer Overflow
View allSame technique Buffer Overflow
View allVendor StatusVendor
SUSE
Severity: High| Product | Status |
|---|---|
| openSUSE Tumbleweed | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today