Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-15184

CVE-2026-15184: GNU LibreDWG Use-After-Free Vulnerability

CVE-2026-15184 is a use-after-free vulnerability in GNU LibreDWG up to version 0.13.4 affecting the DWG File Handler component. This flaw allows local attackers to trigger null pointer dereference. This article covers technical details, affected versions, impact, and mitigation steps.

Published:

CVE-2026-15184 Overview

CVE-2026-15184 is a null pointer dereference vulnerability in GNU LibreDWG versions up to 0.13.4. The flaw resides in the dwg_next_entity function within src/dwg.c, part of the DWG File Handler component. An attacker can trigger the condition by manipulating the next_obj argument, leading to a process crash. Exploitation requires local access and low privileges. A public exploit exists, and the issue is tracked under [CWE-404] (Improper Resource Shutdown or Release). The vulnerability is fixed in version 0.14 via commit dde45dac3c4d902e4d8fed150a8017b9732019c9. This issue is distinct from CVE-2026-9503.

Critical Impact

Local attackers can cause a denial-of-service condition in applications parsing malicious DWG files through the LibreDWG library.

Affected Products

  • GNU LibreDWG versions up to and including 0.13.4
  • Applications linking against vulnerable LibreDWG builds (e.g., dwggrep)
  • Downstream distributions packaging LibreDWG prior to 0.14

Discovery Timeline

  • 2026-07-09 - CVE-2026-15184 published to NVD
  • 2026-07-09 - Last updated in NVD database

Technical Details for CVE-2026-15184

Vulnerability Analysis

The vulnerability exists in the dwg_next_entity function in src/dwg.c. This function walks entity references within a parsed DWG file and returns the next entity object in sequence. When processing crafted DWG input, the function calls dwg_ref_object_silent to resolve an object handle. The resolver can return NULL when the referenced handle cannot be dereferenced. The unpatched code accesses next_obj->supertype without checking for NULL, causing the process to segfault. Public proof-of-concept material demonstrates the crash using the dwggrep utility against a malformed .dwg file.

Root Cause

The root cause is a missing null check on the pointer returned by dwg_ref_object_silent. The original code assumed the resolver always returned a valid Dwg_Object pointer when next->absolute_ref was set. Attacker-controlled DWG structures can invalidate this assumption, producing a dangling reference and dereferencing NULL.

Attack Vector

An attacker must have local access to a system where a user or automated process parses an attacker-supplied DWG file with LibreDWG. Attack complexity is low and no user interaction beyond opening the file is required. The impact is limited to availability of the parsing process; no confidentiality or integrity impact is documented.

c
       if (next && next->absolute_ref)
         {
           Dwg_Object *next_obj = dwg_ref_object_silent (obj->parent, next);
-          return (obj == next_obj
+          return (next_obj == NULL || obj == next_obj
                   || next_obj->supertype != DWG_SUPERTYPE_ENTITY)
                      ? NULL
                      : next_obj;

Source: GitHub Commit dde45da. The patch adds a next_obj == NULL guard before accessing next_obj->supertype, returning NULL safely when the reference cannot be resolved.

Detection Methods for CVE-2026-15184

Indicators of Compromise

  • Unexpected termination or SIGSEGV crashes in processes linking libredwg (for example, dwggrep, dwg2dxf).
  • Presence of untrusted .dwg files in user-writable directories preceding parser crashes.
  • Core dumps referencing the dwg_next_entity symbol in src/dwg.c.

Detection Strategies

  • Inventory installed LibreDWG versions across endpoints and build pipelines; flag any version at or below 0.13.4.
  • Correlate application crash telemetry with recent DWG file access events to identify parsing-triggered faults.
  • Match the public proof-of-concept sample referenced in the GitHub PoC Repository against files landing on shared storage.

Monitoring Recommendations

  • Monitor process exit codes and segmentation faults for CAD-adjacent utilities that consume DWG input.
  • Alert on abnormal invocation of dwggrep or similar LibreDWG-based tools against files from untrusted sources.
  • Track package inventory drift so that unpatched libredwg installations are surfaced during routine software audits.

How to Mitigate CVE-2026-15184

Immediate Actions Required

  • Upgrade GNU LibreDWG to version 0.14 or later on all systems and rebuild any statically linked consumers.
  • Restrict DWG parsing workflows to trusted, authenticated sources until patching is complete.
  • Remove or quarantine unknown .dwg files from shared and user-writable locations.

Patch Information

The fix is committed as dde45dac3c4d902e4d8fed150a8017b9732019c9 and shipped in the 0.14 release. Reference the GitHub Release Tag 0.14 and the tracking issue at LibreDWG Issue #1253. Distribution maintainers should backport the commit if a full version upgrade is not feasible.

Workarounds

  • Disable or remove LibreDWG-based utilities on hosts that do not require DWG processing.
  • Enforce file-type validation and least-privilege execution for any pipeline consuming DWG input.
  • Sandbox LibreDWG parsing in isolated containers so that crashes do not affect adjacent services.
bash
# Verify installed version and upgrade from source
libredwg-config --version 2>/dev/null || dwggrep --version

# Build and install LibreDWG 0.14
git clone https://github.com/LibreDWG/libredwg.git
cd libredwg
git checkout 0.14
./autogen.sh && ./configure && make && sudo make install

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.