CVE-2026-9500 Overview
CVE-2026-9500 is a heap-based buffer overflow in GNU LibreDWG versions up to 0.14. The flaw resides in the read_2004_compressed_section function in src/decode.c, which is part of the Dwgread utility used to parse DWG files. An attacker with local access can supply a crafted DWG file that triggers an out-of-bounds heap write or read during decoding. Public exploit material is available in a GitHub proof-of-concept repository, and the project was notified through an issue report but has not yet responded. The vulnerability is classified under [CWE-119] (Improper Restriction of Operations within the Bounds of a Memory Buffer).
Critical Impact
A crafted DWG file processed by Dwgread can corrupt heap memory, potentially leading to denial of service or local code execution in the context of the user running the utility.
Affected Products
- GNU LibreDWG versions up to and including 0.14
- Dwgread utility (component of LibreDWG)
- src/decode.c source module, function read_2004_compressed_section
Discovery Timeline
- 2026-05-25 - CVE-2026-9500 published to NVD
- 2026-05-26 - Last updated in NVD database
Technical Details for CVE-2026-9500
Vulnerability Analysis
LibreDWG is the GNU library for reading and writing DWG, the native binary format used by AutoCAD. The DWG 2004 file format compresses section data using a custom algorithm that LibreDWG decompresses through read_2004_compressed_section in src/decode.c. The vulnerability occurs when this function processes attacker-controlled length or offset fields without sufficient validation against the destination heap allocation. A specially crafted DWG file forces the decoder to write past the bounds of the heap buffer, corrupting adjacent heap metadata or chunks.
The consequence depends on heap layout and the data overwritten. Outcomes range from process crashes to controlled memory corruption that can be leveraged for code execution. Because Dwgread is a command-line utility frequently invoked on untrusted input, supply-chain workflows and CAD processing pipelines are realistic attack surfaces.
Root Cause
The root cause is missing or insufficient bounds checking on length and offset values parsed from the compressed section header. The decoder trusts size fields from the file when computing destination writes, allowing the input to dictate how many bytes are written into a fixed-size heap allocation. This is a classic [CWE-119] buffer boundary violation in a binary parser.
Attack Vector
Exploitation requires local access and the ability to have a victim or automated pipeline open a malicious DWG file with dwgread or any consumer linking against LibreDWG. The attacker delivers a crafted DWG sample. When the parser reaches the 2004 compressed section, it allocates a buffer based on one field and writes data sized by another attacker-controlled field, producing the out-of-bounds write. A reference proof-of-concept DWG sample is published in the GitHub PoC Repository. Additional triage details are tracked in the GitHub Issue Tracker and VulDB #365482.
No verified code examples are available. See the linked issue and PoC artifact for technical reproduction details.
Detection Methods for CVE-2026-9500
Indicators of Compromise
- Unexpected crashes or segmentation faults from dwgread or processes linking libredwg when handling DWG files
- Presence of the published PoC file libredwg_6d6a339_heap_oob_write_read_2004_compressed_section.dwg or files with similar malformed 2004 compressed section headers
- DWG files originating from untrusted sources placed in automated CAD processing directories
Detection Strategies
- Run LibreDWG and Dwgread builds under AddressSanitizer (ASan) in test and triage environments to catch heap-out-of-bounds writes at parse time
- Hash and quarantine DWG samples and compare against the published PoC artifact hash from the GitHub repository
- Add file-type and size sanity checks at ingestion to flag DWG files with anomalous section table fields
Monitoring Recommendations
- Monitor process telemetry for abnormal exits, SIGSEGV, or SIGABRT events from dwgread and applications embedding LibreDWG
- Log invocations of CAD parsing utilities, including the source path of input files, to support post-incident triage
- Audit shared file repositories and email gateways for DWG attachments from external senders
How to Mitigate CVE-2026-9500
Immediate Actions Required
- Restrict use of dwgread and other LibreDWG-based tools to trusted DWG inputs until a fixed release is published
- Isolate automated CAD processing in a sandbox or container with no network access and minimal filesystem privileges
- Remove or disable the Dwgread utility on systems where it is not required
Patch Information
At the time of publication, the LibreDWG project had not released a fix. The issue is tracked upstream in the GitHub Issue Tracker. Monitor the GNU Project Website and the LibreDWG repository for an updated release beyond version 0.14 that addresses bounds checking in read_2004_compressed_section.
Workarounds
- Do not open DWG files from untrusted or unverified sources with LibreDWG-based tools
- Run Dwgread inside a restricted sandbox (for example, firejail, bubblewrap, or a disposable container) when DWG parsing is unavoidable
- Rebuild LibreDWG with hardening flags such as -D_FORTIFY_SOURCE=2, -fstack-protector-strong, and AddressSanitizer for triage workflows
- Apply mandatory access controls (SELinux, AppArmor) to limit the privileges of processes that parse DWG files
# Configuration example: run dwgread in a restricted bubblewrap sandbox
bwrap \
--ro-bind /usr /usr \
--ro-bind /lib /lib \
--ro-bind /lib64 /lib64 \
--bind /tmp/dwg-sandbox /work \
--chdir /work \
--unshare-all \
--die-with-parent \
-- dwgread ./untrusted.dwg
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
