VYPR
← All advisories
Unrated severityNVD Advisory· Published May 25, 2026

GNU LibreDWG Dwgread Utility decode.c decompress_R2004_section assertion

CVE-2026-9501

Description

A vulnerability was determined in GNU LibreDWG up to 0.14. The impacted element is the function decompress_R2004_section of the file src/decode.c of the component Dwgread Utility. Executing a manipulation can lead to reachable assertion. The attack is restricted to local execution. The exploit has been publicly disclosed and may be utilized. This patch is called e501cb9926c1e9a07a0d1cc997f3e69e9be801c9. A patch should be applied to remediate this issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

An assertion failure in GNU LibreDWG up to 0.14's decompress_R2004_section function allows denial of service via a crafted DWG file.

Vulnerability

The vulnerability resides in the decompress_R2004_section function within src/decode.c of the GNU LibreDWG library up to version 0.14 (commit 6d6a339). The affected component is the dwgread utility. When processing a specially crafted DWG R2004 compressed section, the internal decompression position pointer (pos) becomes smaller than the expected comp_offset value, triggering a reachable assertion (long)pos >= (long)comp_offset at line 1293 [1][3]. This results in program abort.

Exploitation

An attacker with local access can trigger the vulnerability by supplying a maliciously crafted DWG file to the dwgread utility. No authentication or special privileges are required beyond the ability to invoke the tool on the crafted input. The exploit has been publicly disclosed and a proof-of-concept file is available [2][3]. The crash occurs during the call chain: dwg_read_file()dwg_decode()decode_R2004()decompress_R2004_section(), where the assertion check fails without proper input sanitization [3].

Impact

Successful exploitation leads to an assertion failure and program abort, resulting in a denial of service (CIA impact: availability). No code execution or privilege escalation is indicated by the sources; the impact is limited to crashing the dwgread tool or any application using the library in debug mode with assertions enabled.

Mitigation

The issue is fixed in commit e501cb9926c1e9a07a0d1cc997f3e69e9be801c9 [4]. The patch adds validation checks for decompression offset and position values before the assertion, returning a proper error (DWG_ERR_VALUEOUTOFBOUNDS) instead of aborting [4]. Users should update LibreDWG to a version containing this commit. If patching is not immediately possible, avoid processing untrusted DWG files with dwgread.

References
  1. The GNU Operating System and the Free Software Movement
  2. CVE-Repos/libredwg/libredwg_6d6a339_assert_fail_decompress_R2004_section.dwg at main · HackC0der/CVE-Repos
  3. Assertion failure (long)pos >= (long)comp_offset in decompress_R2004_section at decode.c:1293 (libredwg main branch @6d6a339)
  4. decode: fix another decompression overflow · LibreDWG/libredwg@e501cb9

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • LibreDWG/Libredwginferred2 versions
    <=0.14+ 1 more
    • (no CPE)range: <=0.14
    • (no CPE)range: <=0.14

Patches

1
e501cb9926c1

decode: fix another decompression overflow

https://github.com/libredwg/libredwgReini UrbanApr 23, 2026via nvd-ref
commit
1 file changed · +8 0
  • src/decode.c+8 0 modified
    @@ -1284,6 +1284,14 @@ decompress_R2004_section (Bit_Chain *restrict src, Bit_Chain *restrict dec)
           opcode1 = 0x11;
           LOG_INSANE (">O %x!\n", opcode1);
         }
+      if (end > dec->size || (long)pos < comp_offset
+          || (size_t)(pos - comp_offset) >= dec->size
+          || (size_t)comp_offset > dec->size)
+        {
+          LOG_ERROR ("Invalid decompression bytes %d, offset %d", comp_bytes,
+                     comp_offset);
+          return DWG_ERR_VALUEOUTOFBOUNDS;
+        }
       // GH #1204: memmove is wrong here: when comp_offset < comp_bytes the
       // source and destination overlap and newly-written bytes must be read
       // back (LZ77 run-length extension). memmove copies from original bytes.

Vulnerability mechanics

Root cause

"Missing bounds validation of decompression offset and position values in `decompress_R2004_section` allows a malformed DWG file to trigger a reachable assertion."

Attack vector

An attacker provides a specially crafted DWG R2004 file that, when parsed by the `dwgread` utility, causes the internal decompression position pointer `pos` to become smaller than the expected `comp_offset` value [ref_id=1]. This violates the assertion constraint at line 1293 of `decompress_R2004_section`, triggering a program abort [ref_id=1]. The attack is local — the victim must open the malicious file with `dwgread` [ref_id=1].

Affected code

The vulnerable function is `decompress_R2004_section` in `src/decode.c` [ref_id=1]. The crash occurs at line 1293 where an assertion `(long)pos >= (long)comp_offset` fails when processing malformed DWG R2004 compressed section data [ref_id=1].

What the fix does

The patch adds bounds checks before the assertion: it validates that `end` does not exceed `dec->size`, that `pos` is not less than `comp_offset`, that the computed offset `(pos - comp_offset)` is within `dec->size`, and that `comp_offset` itself is within `dec->size` [patch_id=2473658]. If any check fails, the function returns `DWG_ERR_VALUEOUTOFBOUNDS` instead of reaching the assertion [patch_id=2473658]. This prevents the reachable assertion crash by rejecting malformed input early.

Preconditions

  • inputVictim must open a malicious DWG R2004 file with the dwgread utility
  • networkAttack is local; no network vector

Reproduction

1. Clone LibreDWG at commit 6d6a339 and build with `--enable-debug` and AddressSanitizer [ref_id=1]. 2. Run `dwgread` on the malicious PoC file from https://github.com/HackC0der/CVE-Repos/blob/main/libredwg/libredwg_6d6a339_assert_fail_decompress_R2004_section.dwg [ref_id=1]. 3. The program aborts with the assertion failure `(long)pos >= (long)comp_offset` at `decode.c:1293` [ref_id=1].

Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

7

News mentions

0

No linked articles in our index yet.