GNU LibreDWG Dwgread Utility decode.c read_2004_compressed_section heap-based overflow
Description
A vulnerability was found in GNU LibreDWG up to 0.14. The affected element is the function read_2004_compressed_section of the file src/decode.c of the component Dwgread Utility. Performing a manipulation results in heap-based buffer overflow. The attack is only possible with local access. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Heap buffer overflow in GNU LibreDWG's dwgread utility allows local attackers to crash or potentially execute code via crafted DWG file.
Vulnerability
A heap-based buffer overflow vulnerability exists in the read_2004_compressed_section function in src/decode.c of GNU LibreDWG, affecting versions up to 0.14 (including commit 6d6a339 on the main branch). The issue occurs when parsing malformed DWG R2004 input with the dwgread tool, leading to an out-of-bounds write during a memcpy/memmove operation [2].
Exploitation
An attacker with local access can exploit this vulnerability by supplying a specially crafted DWG file to the dwgread utility. The exploit has been publicly demonstrated, with a proof-of-concept file available [3]. No additional privileges or authentication are required beyond the ability to execute dwgread on the target system.
Impact
Successful exploitation causes a heap buffer overflow that results in a segmentation fault (SEGV) and denial of service. AddressSanitizer logs confirm a write access to an invalid heap location [2]. Depending on heap layout, an attacker may also achieve arbitrary code execution with the privileges of the user running dwgread.
Mitigation
As of the publication date, the LibreDWG project has not responded to the issue report and no patch has been released. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog. Users should avoid processing untrusted DWG files with dwgread until a fix is available.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- github.com/HackC0der/CVE-Repos/blob/main/libredwg/libredwg_6d6a339_heap_oob_write_read_2004_compressed_section.dwgmitreexploit
- vuldb.com/submit/814248mitrethird-party-advisory
- github.com/LibreDWG/libredwg/issues/1241mitreissue-tracking
- vuldb.com/vuln/365482mitrevdb-entrytechnical-description
- vuldb.com/vuln/365482/ctimitresignaturepermissions-required
- www.gnu.orgmitreproduct
News mentions
0No linked articles in our index yet.