Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-15182

CVE-2026-15182: GNU LibreDWG Buffer Overflow Vulnerability

CVE-2026-15182 is a heap-based buffer overflow flaw in GNU LibreDWG's BMP Image Handler that allows local attackers to exploit memory corruption. This post explains its impact, affected versions, and mitigation steps.

Published:

CVE-2026-15182 Overview

CVE-2026-15182 is a heap-based buffer overflow vulnerability in GNU LibreDWG versions up to 0.13.4. The flaw resides in the dwg_bmp function within src/dwg.c, part of the BMP Image Handler component. Parsing a malformed DWG file with an embedded thumbnail preview triggers the overflow because the code fails to validate that the container is large enough before subtracting from dat.size. The vulnerability is classified under [CWE-119] (Improper Restriction of Operations within the Bounds of a Memory Buffer). Exploitation requires local access and the attack complexity is low. A proof of concept has been published, and the issue is fixed in LibreDWG 0.14.

Critical Impact

A local attacker supplying a crafted DWG file to a tool linked against LibreDWG can trigger a heap-based buffer overflow in dwg_bmp, causing memory corruption or process termination.

Affected Products

  • GNU LibreDWG versions up to and including 0.13.4
  • Applications and utilities that link against vulnerable LibreDWG builds
  • Fixed in GNU LibreDWG 0.14

Discovery Timeline

  • 2026-07-09 - CVE-2026-15182 published to NVD
  • 2026-07-09 - Last updated in NVD database
  • Patch commit - 18fd542bb4d5ccedf9de12052bf50068b2b26f06 merged to LibreDWG repository

Technical Details for CVE-2026-15182

Vulnerability Analysis

LibreDWG is the GNU library for reading and writing AutoCAD DWG files. The dwg_bmp routine extracts a BMP thumbnail preview stored inside the DWG container. It reads an osize field from the file stream that declares the overall size of embedded images. The pre-patch check compared osize against dat.size - 4 using unsigned arithmetic, without first verifying that dat.size was at least 5 bytes. A truncated or crafted DWG file with dat.size < 5 caused the subtraction to underflow, producing a very large unsigned bound that any attacker-supplied osize could satisfy. The function then operated on a heap buffer using unvalidated offsets, resulting in heap corruption.

Root Cause

The root cause is an integer underflow in the bounds check that guards heap buffer access. The original guard osize > (dat.size - 4) did not enforce a minimum size for dat.size, so a small container produced a wraparound and defeated the length validation.

Attack Vector

Exploitation is local. A user must open a crafted DWG file with a program that calls dwg_bmp — for example, a converter, viewer, or thumbnail extractor built on LibreDWG. No elevated privileges are required beyond the ability to invoke the vulnerable process on the target host.

c
   LOG_TRACE ("Thumbnail: " FORMAT_RL "\n", dwg->header.thumbnail_address);
   osize = bit_read_RL (&dat); /* overall size of all images */
   LOG_TRACE ("overall size: " FORMAT_RL " [RL]\n", osize);
-  if (osize > (dat.size - 4))
+  if (dat.size < 5 || osize > dat.size - 4)
     {
       LOG_ERROR ("Preview overflow > %" PRIuSIZE, dat.size - 4);
       return NULL;

Source: LibreDWG commit 18fd542

Detection Methods for CVE-2026-15182

Indicators of Compromise

  • DWG files with a declared thumbnail osize value that exceeds the physical file length
  • DWG files under 5 bytes reaching dwg_bmp, or containers with truncated header regions
  • Crashes or SIGSEGV in processes that link libredwg.so when opening user-supplied DWG content
  • Presence of the published proof-of-concept sample libredwg_0b57303_heap_overflow_decode_R13_R2000.dwg

Detection Strategies

  • Inventory installed LibreDWG versions across workstations and build hosts, flagging any release at or below 0.13.4
  • Run AddressSanitizer or Valgrind against LibreDWG-based tooling in test environments to surface the overflow on suspect files
  • Match hashes of known PoC files at gateway and endpoint scanning points

Monitoring Recommendations

  • Monitor endpoint telemetry for repeated crashes of DWG viewers, converters (dwg2SVG, dwgread), or CAD applications loading LibreDWG
  • Alert on unexpected child processes or shell activity spawned from CAD tooling following DWG file opens
  • Log file provenance for DWG artifacts introduced from email, USB media, or external file shares

How to Mitigate CVE-2026-15182

Immediate Actions Required

  • Upgrade GNU LibreDWG to version 0.14 on all systems that ship or depend on the library
  • Rebuild and redistribute any downstream tools statically linked against a vulnerable LibreDWG
  • Restrict opening DWG files from untrusted sources until patched binaries are deployed

Patch Information

The fix is commit 18fd542bb4d5ccedf9de12052bf50068b2b26f06, released in LibreDWG v0.14. The patch adds a dat.size < 5 guard before computing dat.size - 4, preventing the unsigned underflow. Additional context is available in GitHub Issue #1249 and GitHub Issue #1252.

Workarounds

  • Process untrusted DWG files inside a sandbox, container, or dedicated non-privileged user account
  • Disable thumbnail extraction paths in workflows that do not require BMP previews
  • Apply file-type gating at the network perimeter to block DWG delivery from untrusted senders until systems are updated
bash
# Verify installed LibreDWG version and upgrade from source
dwgread --version

git clone https://github.com/LibreDWG/libredwg.git
cd libredwg
git checkout 0.14
sh autogen.sh
./configure --disable-bindings
make
sudo make install

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.