CVE-2026-9502 Overview
CVE-2026-9502 is a heap-based buffer overflow vulnerability in GNU LibreDWG up to version 0.14. The flaw resides in the decompress_R2004_section function within src/decode.c, a component of the Dwgread Utility. Processing a crafted DWG file triggers out-of-bounds writes on the heap, leading to memory corruption. The issue is categorized under CWE-119 for improper restriction of operations within the bounds of a memory buffer. Exploitation requires local access, and a proof-of-concept file is publicly available. The maintainers have committed a fix under patch identifier e501cb9926c1e9a07a0d1cc997f3e69e9be801c9.
Critical Impact
A local attacker can supply a malformed DWG file to corrupt heap memory in the Dwgread Utility, enabling potential code execution or process crashes.
Affected Products
- GNU LibreDWG versions up to and including 0.14
- Dwgread Utility component (src/decode.c)
- Applications and toolchains embedding the affected LibreDWG library
Discovery Timeline
- 2026-05-25 - CVE-2026-9502 published to NVD
- 2026-05-26 - Last updated in NVD database
Technical Details for CVE-2026-9502
Vulnerability Analysis
The vulnerability exists in decompress_R2004_section, a routine that decompresses sections of DWG files using the R2004 file format specification. During decompression, the function fails to enforce proper bounds checks on the destination heap buffer. A crafted DWG file containing manipulated section metadata or length fields causes the routine to write beyond the allocated buffer.
Heap corruption of this kind can overwrite adjacent allocator metadata or application data structures. Depending on heap layout, the consequence ranges from process crashes to controlled write primitives. The Dwgread Utility is commonly invoked against untrusted DWG files during inspection, conversion, or batch processing workflows, which increases the operational exposure for engineering and CAD pipelines.
Root Cause
The root cause is insufficient validation of decompressed section size relative to the destination buffer allocation. The decompress_R2004_section logic trusts attacker-controllable length values embedded in the DWG container before performing the write loop. This pattern matches the [CWE-119] classification for buffer boundary violations.
Attack Vector
Exploitation requires local delivery of a malicious DWG file to a user or service that invokes dwgread or links against LibreDWG. Network-based remote exploitation is not in scope under the assigned attack vector, but file-sharing platforms, email attachments, and CAD pipelines remain viable delivery channels. A public proof-of-concept DWG file is hosted at the GitHub PoC Repository.
The vulnerability manifests when the decompression loop writes attacker-controlled bytes past the end of the allocated heap region. Refer to the GitHub Issue Discussion and the GitHub Commit Log for the technical fix details.
Detection Methods for CVE-2026-9502
Indicators of Compromise
- DWG files matching the published PoC hash or originating from untrusted sources processed by dwgread
- Unexpected crashes, SIGABRT, or heap corruption messages from dwgread or applications linked to libredwg
- Core dumps showing faulting frames inside decompress_R2004_section in src/decode.c
Detection Strategies
- Hunt for dwgread process executions that terminate abnormally with non-zero exit codes following DWG file ingestion
- Inspect file ingestion pipelines for DWG files with anomalous section headers or oversized compressed sections
- Run AddressSanitizer or Valgrind builds of LibreDWG against ingested DWG corpora to surface heap overflow signatures
Monitoring Recommendations
- Log invocations of dwgread and parent processes that feed it untrusted CAD files
- Alert on installed libredwg versions at or below 0.14 across the fleet via software inventory data
- Capture stderr from CAD processing services to identify decoder warnings that precede crashes
How to Mitigate CVE-2026-9502
Immediate Actions Required
- Apply the upstream fix from commit e501cb9926c1e9a07a0d1cc997f3e69e9be801c9 and rebuild LibreDWG from source
- Restrict dwgread and LibreDWG-linked tooling to trusted DWG inputs until patched binaries are deployed
- Isolate CAD processing services in sandboxed accounts with minimal filesystem privileges
Patch Information
The LibreDWG maintainers have published the fix in the upstream repository under commit e501cb9926c1e9a07a0d1cc997f3e69e9be801c9. Downstream distributions should rebuild packages against the patched source tree. Reference the GitHub Commit Log, the VulDB #365484 entry, and the GNU Security Resource for additional vendor guidance.
Workarounds
- Block ingestion of DWG files from untrusted sources in automated processing pipelines
- Run dwgread under a restricted user account with no access to sensitive data or credentials
- Enable compiler hardening flags such as -D_FORTIFY_SOURCE=2, -fstack-protector-strong, and AddressSanitizer in test builds to surface exploitation attempts
# Build LibreDWG from the patched source
git clone https://github.com/LibreDWG/libredwg.git
cd libredwg
git checkout e501cb9926c1e9a07a0d1cc997f3e69e9be801c9
./autogen.sh
./configure --disable-shared CFLAGS="-O2 -D_FORTIFY_SOURCE=2 -fstack-protector-strong"
make && sudo make install
# Verify the installed version
dwgread --version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
