CVE-2026-9529

Vulnerability

A NULL pointer dereference vulnerability exists in the match_BLOCK_HEADER function in dwggrep.c of the dwggrep utility in GNU LibreDWG up to version 0.14.1. The flaw is triggered when the tool processes a specially crafted DWG file, leading to a read access at address 0x0 during BLOCK_HEADER object matching [1]. The issue was discovered in commit 6d6a339 on the main branch (2026-04-10) and affects all versions up to and including that commit [1].

Exploitation

An attacker must provide a malformed DWG file to the dwggrep utility. No authentication or special privileges are required beyond local file access. The attacker simply runs dwggrep with a crafted input; the tool will parse the file and reach the vulnerable code path, causing a segmentation fault due to a NULL pointer dereference [1].

Impact

Successful exploitation results in a denial of service (DoS) via application crash. The segmentation fault terminates the dwggrep process. The crash has been confirmed with AddressSanitizer output showing a NULL pointer read at address 0x0 [1]. No other impact (code execution, privilege escalation, or data disclosure) has been demonstrated.

Mitigation

As of the latest available references, no official patch has been released [1]. Users should monitor the GNU LibreDWG repository for a fix. Until a patched version is available, avoid processing untrusted DWG files with dwggrep as a workaround. The vulnerability is publicly known with a proof-of-concept crash file available [3].