VYPR
← All advisories
High severity7.3NVD Advisory· Published May 27, 2026

CVE-2026-9605

CVE-2026-9605

Description

A flaw has been found in GNU libredwg up to 0.13.4.8160. This issue affects the function bit_read_RC of the file bits.c of the component Dwgbmp Utility. This manipulation causes heap-based buffer overflow. The attack is possible to be carried out remotely. The exploit has been published and may be used. Patch name: 8f03865f37f5d4ffd616fef802acc980be54d300. Applying a patch is the recommended action to fix this issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Heap-buffer-overflow in GNU libredwg up to 0.13.4.8160 in bit_read_RC, exploitable remotely via malformed DWG file.

Vulnerability

A heap-buffer-overflow vulnerability exists in GNU libredwg up to version 0.13.4.8160 in the bit_read_RC function within bits.c. The issue occurs during decompression of R2004 compressed sections when processing a malformed DWG file via the dwgbmp utility. The overflow is triggered due to an out-of-bounds heap read of size 1 at bits.c:281. This vulnerability is related to an incomplete fix for a previous similar issue [1].

Exploitation

An attacker can exploit this vulnerability remotely by sending a specially crafted DWG file to a target using the dwgbmp tool. No authentication is required. The exploit has been published and can be reproduced by opening the malformed file with dwgbmp [1]. The error log shows a heap-buffer-overflow read of size 1 during bit_read_RC in the decompression call chain [1].

Impact

Successful exploitation leads to a heap-buffer-overflow, resulting in an out-of-bounds read. This could cause a denial of service (crash) or potentially allow information disclosure. Given the published exploit and the nature of the vulnerability, code execution cannot be ruled out. The CVSS score of 7.3 (High) reflects the potential for significant impact.

Mitigation

The flaw is fixed by commit 8f03865f37f5d4ffd616fef802acc980be54d300 [4]. Users should apply the patch or update to a version containing this fix. The commit adds bounds checks in read_2004_compressed_section to prevent out-of-bounds accesses [4]. No workarounds are available; applying the patch is the recommended action.

References
  1. dwgbmp: Heap-buffer-overflow in bit_read_RC at bits.c:281 (libredwg main branch @6d6a339)
  2. decode: fix decompression overflow · LibreDWG/libredwg@8f03865

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • LibreDWG/Libredwgreferences2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)range: <=0.13.4.8160

Patches

1
8f03865f37f5

decode: fix decompression overflow

https://github.com/libredwg/libredwgReini UrbanApr 23, 2026via nvd-ref
commit
1 file changed · +2 0
  • src/decode.c+2 0 modified
    @@ -2168,7 +2168,9 @@ read_2004_compressed_section (Bit_Chain *dat, Dwg_Data *restrict dwg,
               = MIN ((BITCODE_RL)(info->size - es.fields.address),
                      es.fields.page_size);
           if (info->compressed == 2 || bytes_left < 0
+              || es.fields.address > max_decomp_size
               || es.fields.address + size > max_decomp_size
+              || es.fields.address + size > dec.size
               || offset + size > dat->size)
             {
               LOG_ERROR ("Some section size or address out of bounds");

Vulnerability mechanics

Root cause

"Missing bounds check on `es.fields.address + size` wrapping over `dec.size` allows heap-buffer-overflow during R2004 compressed section decompression."

Attack vector

An attacker can trigger this heap-buffer-overflow remotely by supplying a malformed DWG file to the `dwgbmp` utility [ref_id=1]. The file is processed by `dwg_read_file` and `decode_R2004`, which calls `read_2004_compressed_section` to decompress R2004-format sections. The existing bounds check fails to validate that `es.fields.address + size` wraps around the allocated `dec.size` buffer, allowing a read past the heap allocation [patch_id=2595563]. No authentication or special privileges are required (CVSS:3.1/AV:N/AC:L/PR:N/UI:N).

Affected code

The vulnerability is in `src/decode.c` within the `read_2004_compressed_section` function, specifically in the bounds check for decompressed section data. The crash call stack traces through `decompress_R2004_section` and `copy_bytes` to `bit_read_RC` in `src/bits.c:281` [ref_id=1]. The patch adds two additional checks: `es.fields.address > max_decomp_size` and `es.fields.address + size > dec.size` [patch_id=2595563].

What the fix does

The patch adds two new validation checks to the existing bounds guard in `read_2004_compressed_section` [patch_id=2595563]. The first check (`es.fields.address > max_decomp_size`) catches cases where the starting address alone exceeds the decompressed buffer size. The second check (`es.fields.address + size > dec.size`) prevents integer-wrapping scenarios where the sum of address and size wraps around to a small value, bypassing the previous `max_decomp_size` comparison. Both new conditions trigger the existing `LOG_ERROR` and rejection path, closing the heap-buffer-overflow.

Preconditions

  • inputAttacker must supply a malformed DWG file that triggers the R2004 compressed section decompression path
  • configThe target system must have the dwgbmp utility processing the file
  • authNo authentication required; attack is remotely deliverable

Reproduction

Clone the repository at commit 6d6a339, configure with AddressSanitizer flags (`-fsanitize=address`), build with `make`, then run `dwgbmp poc.dwg` against a crafted PoC file [ref_id=1]. The ASan report confirms a heap-buffer-overflow read of size 1 at `bit_read_RC` in `bits.c:281` [ref_id=1].

Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

7

News mentions

0

No linked articles in our index yet.