VYPR
← All advisories
Low severity3.3NVD Advisory· Published May 25, 2026

CVE-2026-9503

CVE-2026-9503

Description

A security flaw has been discovered in GNU LibreDWG up to 0.14. This impacts the function dwg_next_entity of the file src/decode.c of the component DWG File Handler. The manipulation results in null pointer dereference. The attack must be initiated from a local position. The exploit has been released to the public and may be used for attacks. The patch is identified as 8f03865f37f5d4ffd616fef802acc980be54d300. Upgrading the affected component is advised.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

GNU LibreDWG up to 0.14 allows local denial of service via null pointer dereference in dwg_next_entity when processing a crafted DWG file.

Vulnerability

A null pointer dereference vulnerability exists in GNU LibreDWG up to version 0.14. The issue is in the function dwg_next_entity within src/decode.c. When a specially crafted DWG file is processed, the function dereferences a NULL pointer, leading to a crash. This has been reported as issue #1245 [1].

Exploitation

An attacker with local access can exploit this vulnerability by providing a malformed DWG file to tools such as dwg2SVG or any other application using the LibreDWG library. The attack requires no special privileges beyond the ability to run the affected software on a malformed file. The public PoC demonstrates a crash due to SEGV READ on NULL pointer [1].

Impact

Successful exploitation causes a denial of service (application crash) due to a null pointer dereference. There is no indication of memory corruption or remote code execution. The impact is limited to availability, with no confidentiality or integrity impact. The CVSS v3 score is 3.3 (Low).

Mitigation

The fix is available in commit 8f03865 [4]. Users should upgrade to a version of LibreDWG that includes this patch. If immediate upgrade is not possible, avoid processing untrusted DWG files with the affected library.

References
  1. SEGV READ NULL pointer dereference in dwg_next_entity at dwg.c:1231 (libredwg main branch @6d6a339)
  2. decode: fix decompression overflow · LibreDWG/libredwg@8f03865

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • LibreDWG/Libredwgreferences2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)range: <=0.14

Patches

1
8f03865f37f5

decode: fix decompression overflow

https://github.com/libredwg/libredwgReini UrbanApr 23, 2026via nvd-ref
commit
1 file changed · +2 0
  • src/decode.c+2 0 modified
    @@ -2168,7 +2168,9 @@ read_2004_compressed_section (Bit_Chain *dat, Dwg_Data *restrict dwg,
               = MIN ((BITCODE_RL)(info->size - es.fields.address),
                      es.fields.page_size);
           if (info->compressed == 2 || bytes_left < 0
+              || es.fields.address > max_decomp_size
               || es.fields.address + size > max_decomp_size
+              || es.fields.address + size > dec.size
               || offset + size > dat->size)
             {
               LOG_ERROR ("Some section size or address out of bounds");

Vulnerability mechanics

Root cause

"Missing bounds check on `es.fields.address + size` allows integer wrapping overflow during compressed section decompression, leading to a null pointer dereference."

Attack vector

An attacker with local access provides a specially crafted DWG file to a tool such as `dwg2SVG` [ref_id=1]. During decompression of the 2004-format compressed section, the missing bounds check on `es.fields.address + size` allows an integer-wrapping overflow that passes the existing `max_decomp_size` check, leading to out-of-bounds reads and ultimately a null pointer dereference in `dwg_next_entity` [patch_id=2539790]. The attack requires no special privileges beyond the ability to open a file with the affected library.

Affected code

The vulnerability resides in `src/decode.c` in the function `read_2004_compressed_section`. The crash manifests downstream in `dwg_next_entity` at `src/dwg.c:1231` when a malformed DWG file causes a null pointer dereference during entity traversal [ref_id=1]. The patch adds bounds checks on `es.fields.address + size` against both `max_decomp_size` and `dec.size` [patch_id=2539790].

What the fix does

The patch adds two additional guard conditions in `read_2004_compressed_section`: `es.fields.address > max_decomp_size` and `es.fields.address + size > dec.size` [patch_id=2539790]. These prevent the integer-wrapping overflow where `es.fields.address + size` could wrap around to a small value, bypassing the existing `max_decomp_size` check. By also verifying against `dec.size`, the fix ensures the computed address range stays within the actual decompression buffer, closing the null pointer dereference path.

Preconditions

  • inputAttacker must be able to supply a malformed DWG file to a tool using the LibreDWG library (e.g., dwg2SVG)
  • inputThe malformed file must trigger the 2004 compressed section code path in read_2004_compressed_section
  • networkAttack is local only (AV:L in CVSS)

Reproduction

Clone the repository at commit 6d6a339, configure with AddressSanitizer, build, then run `dwg2SVG` on the provided PoC file. The crash reproduces as a SEGV READ null pointer dereference in `dwg_next_entity` at `src/dwg.c:1231` [ref_id=1].

Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

7

News mentions

0

No linked articles in our index yet.