CVE-2026-15184 Overview
CVE-2026-15184 is a null pointer dereference vulnerability in GNU LibreDWG versions up to 0.13.4. The flaw resides in the dwg_next_entity function within src/dwg.c, part of the DWG File Handler component. An attacker can trigger the condition by manipulating the next_obj argument, leading to a process crash. Exploitation requires local access and low privileges. A public exploit exists, and the issue is tracked under [CWE-404] (Improper Resource Shutdown or Release). The vulnerability is fixed in version 0.14 via commit dde45dac3c4d902e4d8fed150a8017b9732019c9. This issue is distinct from CVE-2026-9503.
Critical Impact
Local attackers can cause a denial-of-service condition in applications parsing malicious DWG files through the LibreDWG library.
Affected Products
- GNU LibreDWG versions up to and including 0.13.4
- Applications linking against vulnerable LibreDWG builds (e.g., dwggrep)
- Downstream distributions packaging LibreDWG prior to 0.14
Discovery Timeline
- 2026-07-09 - CVE-2026-15184 published to NVD
- 2026-07-09 - Last updated in NVD database
Technical Details for CVE-2026-15184
Vulnerability Analysis
The vulnerability exists in the dwg_next_entity function in src/dwg.c. This function walks entity references within a parsed DWG file and returns the next entity object in sequence. When processing crafted DWG input, the function calls dwg_ref_object_silent to resolve an object handle. The resolver can return NULL when the referenced handle cannot be dereferenced. The unpatched code accesses next_obj->supertype without checking for NULL, causing the process to segfault. Public proof-of-concept material demonstrates the crash using the dwggrep utility against a malformed .dwg file.
Root Cause
The root cause is a missing null check on the pointer returned by dwg_ref_object_silent. The original code assumed the resolver always returned a valid Dwg_Object pointer when next->absolute_ref was set. Attacker-controlled DWG structures can invalidate this assumption, producing a dangling reference and dereferencing NULL.
Attack Vector
An attacker must have local access to a system where a user or automated process parses an attacker-supplied DWG file with LibreDWG. Attack complexity is low and no user interaction beyond opening the file is required. The impact is limited to availability of the parsing process; no confidentiality or integrity impact is documented.
if (next && next->absolute_ref)
{
Dwg_Object *next_obj = dwg_ref_object_silent (obj->parent, next);
- return (obj == next_obj
+ return (next_obj == NULL || obj == next_obj
|| next_obj->supertype != DWG_SUPERTYPE_ENTITY)
? NULL
: next_obj;
Source: GitHub Commit dde45da. The patch adds a next_obj == NULL guard before accessing next_obj->supertype, returning NULL safely when the reference cannot be resolved.
Detection Methods for CVE-2026-15184
Indicators of Compromise
- Unexpected termination or SIGSEGV crashes in processes linking libredwg (for example, dwggrep, dwg2dxf).
- Presence of untrusted .dwg files in user-writable directories preceding parser crashes.
- Core dumps referencing the dwg_next_entity symbol in src/dwg.c.
Detection Strategies
- Inventory installed LibreDWG versions across endpoints and build pipelines; flag any version at or below 0.13.4.
- Correlate application crash telemetry with recent DWG file access events to identify parsing-triggered faults.
- Match the public proof-of-concept sample referenced in the GitHub PoC Repository against files landing on shared storage.
Monitoring Recommendations
- Monitor process exit codes and segmentation faults for CAD-adjacent utilities that consume DWG input.
- Alert on abnormal invocation of dwggrep or similar LibreDWG-based tools against files from untrusted sources.
- Track package inventory drift so that unpatched libredwg installations are surfaced during routine software audits.
How to Mitigate CVE-2026-15184
Immediate Actions Required
- Upgrade GNU LibreDWG to version 0.14 or later on all systems and rebuild any statically linked consumers.
- Restrict DWG parsing workflows to trusted, authenticated sources until patching is complete.
- Remove or quarantine unknown .dwg files from shared and user-writable locations.
Patch Information
The fix is committed as dde45dac3c4d902e4d8fed150a8017b9732019c9 and shipped in the 0.14 release. Reference the GitHub Release Tag 0.14 and the tracking issue at LibreDWG Issue #1253. Distribution maintainers should backport the commit if a full version upgrade is not feasible.
Workarounds
- Disable or remove LibreDWG-based utilities on hosts that do not require DWG processing.
- Enforce file-type validation and least-privilege execution for any pipeline consuming DWG input.
- Sandbox LibreDWG parsing in isolated containers so that crashes do not affect adjacent services.
# Verify installed version and upgrade from source
libredwg-config --version 2>/dev/null || dwggrep --version
# Build and install LibreDWG 0.14
git clone https://github.com/LibreDWG/libredwg.git
cd libredwg
git checkout 0.14
./autogen.sh && ./configure && make && sudo make install
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

