CVE-2026-9530
Description
A weakness has been identified in GNU LibreDWG up to 0.14. The impacted element is the function read_2004_compressed_section of the file src/decode.c of the component Dwgbmp Utility. Executing a manipulation can lead to out-of-bounds read. The attack requires local access. The exploit has been made available to the public and could be used for attacks. This patch is called 8f03865f37f5d4ffd616fef802acc980be54d300. It is advisable to implement a patch to correct this issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An out-of-bounds read in GNU LibreDWG's dwgbmp utility when processing malformed DWG files can lead to information disclosure, fixed in commit 8f03865.
Vulnerability
A heap-buffer-overflow vulnerability exists in GNU LibreDWG up to version 0.14, specifically in the read_2004_compressed_section function within src/decode.c. This function is used by the dwgbmp utility to decompress R2004 compressed sections of DWG files. Due to insufficient bounds checking, a malformed DWG file can cause an out-of-bounds read of size 1 in bit_read_RC at bits.c:281, as detailed in the issue report [1]. The crash call stack indicates this is likely an incomplete fix of a previous vulnerability [1].
Exploitation
An attacker with local access can exploit this vulnerability by providing a specially crafted DWG file to the dwgbmp utility. No authentication or special privileges are required beyond the ability to run the utility on the malicious file. The proof-of-concept file is publicly available [3]. When dwgbmp processes the file, the decompression routine triggers the out-of-bounds read, leading to a crash or potential information leak.
Impact
Successful exploitation results in an out-of-bounds heap read, which can cause a denial of service (crash) or disclose sensitive heap memory contents. The CVSS v3 score is 3.3 (Low), indicating limited impact. No remote code execution or privilege escalation is reported.
Mitigation
The vulnerability is fixed in commit 8f03865f37f5d4ffd616fef802acc980be54d300 [4]. Users should update to a version of LibreDWG that includes this patch or apply the patch manually. No workarounds are documented. The fix adds additional bounds checks in read_2004_compressed_section to prevent the overflow.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
18f03865f37f5decode: fix decompression overflow
1 file changed · +2 −0
src/decode.c+2 −0 modified@@ -2168,7 +2168,9 @@ read_2004_compressed_section (Bit_Chain *dat, Dwg_Data *restrict dwg, = MIN ((BITCODE_RL)(info->size - es.fields.address), es.fields.page_size); if (info->compressed == 2 || bytes_left < 0 + || es.fields.address > max_decomp_size || es.fields.address + size > max_decomp_size + || es.fields.address + size > dec.size || offset + size > dat->size) { LOG_ERROR ("Some section size or address out of bounds");
Vulnerability mechanics
Root cause
"Missing bounds check on `es.fields.address + size > dec.size` allows integer wrapping or overflow past the allocated decompression buffer, leading to an out-of-bounds heap read."
Attack vector
An attacker with local access supplies a specially crafted DWG file to the `dwgbmp` utility [ref_id=1]. The file contains a malformed R2004 compressed section whose `es.fields.address` and `size` values cause `es.fields.address + size` to wrap around or exceed the allocated decompression buffer (`dec.size`) [patch_id=2539780]. This out-of-bounds read of size 1 at `bit_read_RC` results in a heap-buffer-overflow [ref_id=1]. No special privileges beyond local file access are required; the attack vector is local (AV:L) per the CVSS vector.
Affected code
The vulnerability resides in `src/decode.c` within the function `read_2004_compressed_section` [patch_id=2539780]. The crash propagates through `decompress_R2004_section` and `copy_bytes` into `bit_read_RC` at `src/bits.c:281`, where a heap-buffer-overflow read of size 1 occurs [ref_id=1]. The flaw is triggered when processing a malformed R2004 compressed section in a DWG file via the `dwgbmp` utility [ref_id=1].
What the fix does
The patch adds two new bounds checks in `read_2004_compressed_section` at `src/decode.c` [patch_id=2539780]. The first check (`es.fields.address > max_decomp_size`) catches cases where the address alone exceeds the maximum decompressed size. The second check (`es.fields.address + size > dec.size`) ensures that the computed end offset does not wrap past the actual allocated buffer size `dec.size`. Previously only `es.fields.address + size > max_decomp_size` was validated, which missed integer-wrapping scenarios that could bypass the guard and lead to out-of-bounds reads [patch_id=2539780]. The commit message confirms this fixes decompression overflow issues reported in GH #1245 and #1248 [patch_id=2539780].
Preconditions
- networkAttacker must have local access to the system to run the dwgbmp utility
- inputAttacker must supply a malformed DWG file with crafted compressed section parameters
Reproduction
1. Clone the LibreDWG repository at commit `6d6a339` and build with AddressSanitizer enabled using the configure flags shown in the reference write-up [ref_id=1]. 2. Run `dwgbmp poc.dwg` where `poc.dwg` is the malformed proof-of-concept file [ref_id=1]. 3. Observe the heap-buffer-overflow crash in `bit_read_RC` at `bits.c:281` with the error log indicating a read of size 1 at an address 0 bytes to the right of a 19745-byte heap region [ref_id=1].
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/HackC0der/CVE-Repos/blob/main/libredwg/libredwg_6d6a339_heap_oob_write_read_2004_compressed_section.dwgnvd
- github.com/LibreDWG/libredwg/commit/8f03865f37f5d4ffd616fef802acc980be54d300nvd
- github.com/LibreDWG/libredwg/issues/1248nvd
- vuldb.com/submit/814275nvd
- vuldb.com/vuln/365549nvd
- vuldb.com/vuln/365549/ctinvd
- www.gnu.orgnvd
News mentions
0No linked articles in our index yet.