CVE-2026-15182 Overview
CVE-2026-15182 is a heap-based buffer overflow vulnerability in GNU LibreDWG versions up to 0.13.4. The flaw resides in the dwg_bmp function within src/dwg.c, part of the BMP Image Handler component. Parsing a malformed DWG file with an embedded thumbnail preview triggers the overflow because the code fails to validate that the container is large enough before subtracting from dat.size. The vulnerability is classified under [CWE-119] (Improper Restriction of Operations within the Bounds of a Memory Buffer). Exploitation requires local access and the attack complexity is low. A proof of concept has been published, and the issue is fixed in LibreDWG 0.14.
Critical Impact
A local attacker supplying a crafted DWG file to a tool linked against LibreDWG can trigger a heap-based buffer overflow in dwg_bmp, causing memory corruption or process termination.
Affected Products
- GNU LibreDWG versions up to and including 0.13.4
- Applications and utilities that link against vulnerable LibreDWG builds
- Fixed in GNU LibreDWG 0.14
Discovery Timeline
- 2026-07-09 - CVE-2026-15182 published to NVD
- 2026-07-09 - Last updated in NVD database
- Patch commit - 18fd542bb4d5ccedf9de12052bf50068b2b26f06 merged to LibreDWG repository
Technical Details for CVE-2026-15182
Vulnerability Analysis
LibreDWG is the GNU library for reading and writing AutoCAD DWG files. The dwg_bmp routine extracts a BMP thumbnail preview stored inside the DWG container. It reads an osize field from the file stream that declares the overall size of embedded images. The pre-patch check compared osize against dat.size - 4 using unsigned arithmetic, without first verifying that dat.size was at least 5 bytes. A truncated or crafted DWG file with dat.size < 5 caused the subtraction to underflow, producing a very large unsigned bound that any attacker-supplied osize could satisfy. The function then operated on a heap buffer using unvalidated offsets, resulting in heap corruption.
Root Cause
The root cause is an integer underflow in the bounds check that guards heap buffer access. The original guard osize > (dat.size - 4) did not enforce a minimum size for dat.size, so a small container produced a wraparound and defeated the length validation.
Attack Vector
Exploitation is local. A user must open a crafted DWG file with a program that calls dwg_bmp — for example, a converter, viewer, or thumbnail extractor built on LibreDWG. No elevated privileges are required beyond the ability to invoke the vulnerable process on the target host.
LOG_TRACE ("Thumbnail: " FORMAT_RL "\n", dwg->header.thumbnail_address);
osize = bit_read_RL (&dat); /* overall size of all images */
LOG_TRACE ("overall size: " FORMAT_RL " [RL]\n", osize);
- if (osize > (dat.size - 4))
+ if (dat.size < 5 || osize > dat.size - 4)
{
LOG_ERROR ("Preview overflow > %" PRIuSIZE, dat.size - 4);
return NULL;
Source: LibreDWG commit 18fd542
Detection Methods for CVE-2026-15182
Indicators of Compromise
- DWG files with a declared thumbnail osize value that exceeds the physical file length
- DWG files under 5 bytes reaching dwg_bmp, or containers with truncated header regions
- Crashes or SIGSEGV in processes that link libredwg.so when opening user-supplied DWG content
- Presence of the published proof-of-concept sample libredwg_0b57303_heap_overflow_decode_R13_R2000.dwg
Detection Strategies
- Inventory installed LibreDWG versions across workstations and build hosts, flagging any release at or below 0.13.4
- Run AddressSanitizer or Valgrind against LibreDWG-based tooling in test environments to surface the overflow on suspect files
- Match hashes of known PoC files at gateway and endpoint scanning points
Monitoring Recommendations
- Monitor endpoint telemetry for repeated crashes of DWG viewers, converters (dwg2SVG, dwgread), or CAD applications loading LibreDWG
- Alert on unexpected child processes or shell activity spawned from CAD tooling following DWG file opens
- Log file provenance for DWG artifacts introduced from email, USB media, or external file shares
How to Mitigate CVE-2026-15182
Immediate Actions Required
- Upgrade GNU LibreDWG to version 0.14 on all systems that ship or depend on the library
- Rebuild and redistribute any downstream tools statically linked against a vulnerable LibreDWG
- Restrict opening DWG files from untrusted sources until patched binaries are deployed
Patch Information
The fix is commit 18fd542bb4d5ccedf9de12052bf50068b2b26f06, released in LibreDWG v0.14. The patch adds a dat.size < 5 guard before computing dat.size - 4, preventing the unsigned underflow. Additional context is available in GitHub Issue #1249 and GitHub Issue #1252.
Workarounds
- Process untrusted DWG files inside a sandbox, container, or dedicated non-privileged user account
- Disable thumbnail extraction paths in workflows that do not require BMP previews
- Apply file-type gating at the network perimeter to block DWG delivery from untrusted senders until systems are updated
# Verify installed LibreDWG version and upgrade from source
dwgread --version
git clone https://github.com/LibreDWG/libredwg.git
cd libredwg
git checkout 0.14
sh autogen.sh
./configure --disable-bindings
make
sudo make install
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

