VYPR
← All advisories
Medium severity5.3NVD Advisory· Published May 25, 2026

CVE-2026-9502

CVE-2026-9502

Description

A vulnerability was identified in GNU LibreDWG up to 0.14. This affects the function decompress_R2004_section of the file src/decode.c of the component Dwgread Utility. The manipulation leads to heap-based buffer overflow. The attack must be carried out locally. The exploit is publicly available and might be used. The identifier of the patch is e501cb9926c1e9a07a0d1cc997f3e69e9be801c9. To fix this issue, it is recommended to deploy a patch.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A heap-buffer-overflow in GNU LibreDWG up to 0.14 allows local attackers to crash or potentially execute code via a crafted DWG file.

Vulnerability

A heap-based buffer overflow vulnerability exists in decompress_R2004_section in src/decode.c of GNU LibreDWG up to version 0.14. The issue is a write of size 1 beyond the allocated heap buffer during R2004 section decompression, triggered when parsing a malformed DWG file. The vulnerable code path is accessible via the dwgread utility [1].

Exploitation

Exploitation requires local access and a crafted DWG file. The attacker supplies a specially crafted DWG file to dwgread. No authentication is needed, and the exploit is publicly available [3]. The crash occurs when the decompression function reads and writes compressed data without proper bounds checking, leading to a heap-buffer-overflow [1].

Impact

Successful exploitation results in a heap buffer overflow, which can cause a denial of service (crash) or potentially allow arbitrary code execution in the context of the dwgread process. The exact impact depends on the heap layout and memory protections, but the vulnerability is rated medium severity with a CVSS v3 score of 5.3 [1].

Mitigation

The vulnerability is fixed in commit e501cb9926c1e9a07a0d1cc997f3e69e9be801c9 [4]. Users should update to a patched version of GNU LibreDWG. If patching is not immediately possible, avoid processing untrusted DWG files with dwgread. The fix adds additional bounds checks to prevent the overflow [4].

References
  1. Heap-buffer-overflow WRITE in decompress_R2004_section at decode.c:1297 (libredwg main branch @6d6a339)
  2. CVE-Repos/libredwg/libredwg_6d6a339_heap_overflow_decompress_R2004_section.dwg at main · HackC0der/CVE-Repos
  3. decode: fix another decompression overflow · LibreDWG/libredwg@e501cb9

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • LibreDWG/Libredwgreferences2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)range: <=0.14

Patches

1
e501cb9926c1

decode: fix another decompression overflow

https://github.com/libredwg/libredwgReini UrbanApr 23, 2026via nvd-ref
commit
1 file changed · +8 0
  • src/decode.c+8 0 modified
    @@ -1284,6 +1284,14 @@ decompress_R2004_section (Bit_Chain *restrict src, Bit_Chain *restrict dec)
           opcode1 = 0x11;
           LOG_INSANE (">O %x!\n", opcode1);
         }
+      if (end > dec->size || (long)pos < comp_offset
+          || (size_t)(pos - comp_offset) >= dec->size
+          || (size_t)comp_offset > dec->size)
+        {
+          LOG_ERROR ("Invalid decompression bytes %d, offset %d", comp_bytes,
+                     comp_offset);
+          return DWG_ERR_VALUEOUTOFBOUNDS;
+        }
       // GH #1204: memmove is wrong here: when comp_offset < comp_bytes the
       // source and destination overlap and newly-written bytes must be read
       // back (LZ77 run-length extension). memmove copies from original bytes.

Vulnerability mechanics

Root cause

"Missing bounds validation on decompression offset and position allows out-of-bounds heap write in decompress_R2004_section."

Attack vector

An attacker provides a crafted DWG R2004 file to the dwgread utility. During parsing, the function decompress_R2004_section in src/decode.c processes compressed section data without validating that the computed decompression position and offset fall within the allocated buffer [ref_id=1]. This leads to a heap-buffer-overflow WRITE of size 1 at line 1297 [ref_id=1]. The attack requires local access and the ability to supply a malformed input file (AV:L, PR:L).

Affected code

The vulnerable function is decompress_R2004_section in src/decode.c. The heap-buffer-overflow WRITE occurs at line 1297 [ref_id=1]. The call chain is: dwg_read_file → dwg_decode → decode_R2004 → read_2004_section_template → read_2004_compressed_section → decompress_R2004_section [ref_id=1].

What the fix does

The patch [patch_id=2539791] adds four bounds checks before the memmove/memset operations at the vulnerable code point. It validates that the end pointer does not exceed dec->size, that the position is not below comp_offset, that the computed offset is within dec->size, and that comp_offset itself does not exceed dec->size. If any check fails, the function returns DWG_ERR_VALUEOUTOFBOUNDS and logs an error, preventing the out-of-bounds write.

Preconditions

  • authAttacker must have local access to run dwgread on a crafted file
  • inputAttacker must supply a malformed DWG R2004 file as input

Reproduction

1. Clone the LibreDWG repository and check out commit 6d6a339. 2. Build with AddressSanitizer enabled (CFLAGS="-O0 -g -fno-omit-frame-pointer -fsanitize=address", LDFLAGS="-fsanitize=address"). 3. Run `./programs/dwgread <malicious-poc.dwg>` where the PoC file is a crafted DWG R2004 file that triggers the overflow [ref_id=1].

Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

7

News mentions

0

No linked articles in our index yet.