CVE-2026-9503 Overview
CVE-2026-9503 is a null pointer dereference vulnerability in GNU LibreDWG versions up to 0.14. The flaw resides in the dwg_next_entity function within src/decode.c, part of the DWG File Handler component. Attackers with local access can trigger the dereference by supplying a crafted DWG file, causing the library or any application linking against it to crash. The issue is tracked under [CWE-404] (Improper Resource Shutdown or Release) and has been publicly disclosed alongside a proof-of-concept. The maintainers have committed a fix in upstream commit 8f03865f37f5d4ffd616fef802acc980be54d300.
Critical Impact
Local attackers can crash applications that parse untrusted DWG files using LibreDWG, producing a denial-of-service condition in CAD and conversion workflows.
Affected Products
- GNU LibreDWG versions up to and including 0.14
- The dwg_next_entity function in src/decode.c
- Applications and pipelines linking against vulnerable LibreDWG builds for DWG parsing
Discovery Timeline
- 2026-05-25 - CVE-2026-9503 published to NVD
- 2026-05-26 - Last updated in NVD database
Technical Details for CVE-2026-9503
Vulnerability Analysis
The vulnerability is a null pointer dereference [CWE-404] in the DWG decoder of GNU LibreDWG. When dwg_next_entity in src/decode.c walks the entity list of a malformed DWG file, it dereferences a pointer that has not been validated against NULL. A specifically crafted DWG file forces this code path and triggers a process crash.
A public proof-of-concept file has been released, demonstrating reliable triggering against unpatched builds. Exploitation requires local access and low privileges, and the impact is limited to availability of the parsing process. No code execution or information disclosure has been demonstrated.
Root Cause
The decoder did not enforce sufficient bounds and pointer validity checks on decompressed section metadata before traversing the entity chain. Address and size fields from the compressed section could exceed buffer boundaries, leaving downstream pointers uninitialized or invalid. The upstream patch tightens these checks to reject malformed sections before they reach dwg_next_entity.
Attack Vector
The attack vector is local. An attacker delivers a malicious DWG file to a user or automated pipeline that invokes a LibreDWG-based parser, such as dwgread, dwg2dxf, or any application embedding libredwg. Opening the file causes the decoder to traverse the corrupted structure and dereference a null pointer, terminating the process.
= MIN ((BITCODE_RL)(info->size - es.fields.address),
es.fields.page_size);
if (info->compressed == 2 || bytes_left < 0
+ || es.fields.address > max_decomp_size
|| es.fields.address + size > max_decomp_size
+ || es.fields.address + size > dec.size
|| offset + size > dat->size)
{
LOG_ERROR ("Some section size or address out of bounds");
Source: GitHub Commit 8f03865. The patch adds explicit bounds checks on es.fields.address against max_decomp_size and dec.size, rejecting sections whose decompressed address or size would exceed the allocated buffer before any downstream pointer arithmetic occurs.
Detection Methods for CVE-2026-9503
Indicators of Compromise
- Unexpected crashes or SIGSEGV signals from processes invoking libredwg, dwgread, or related CLI tools while parsing DWG files
- Presence of the public PoC sample libredwg_6d6a339_heap_oob_write_read_2004_compressed_section.dwg or files with similar malformed AutoCAD R2004 compressed section structures
- Core dumps referencing the dwg_next_entity symbol or src/decode.c frames
Detection Strategies
- Inventory systems for installed LibreDWG packages and compare versions against 0.14 and earlier using package managers such as dpkg -l libredwg* or rpm -qa | grep libredwg
- Hash-match incoming DWG attachments and uploads against the published PoC artifact referenced in the GitHub PoC Repository
- Scan source builds and container images for the absence of commit 8f03865f37f5d4ffd616fef802acc980be54d300 in vendored LibreDWG copies
Monitoring Recommendations
- Monitor application logs and system journals for repeated abnormal terminations of CAD or file-conversion services that process user-supplied DWG content
- Alert on file uploads to shared drives and document portals where DWG files fail validation or trigger parser exceptions
- Track outbound process telemetry from build agents and CI workers that batch-process DWG files for unexpected exit codes
How to Mitigate CVE-2026-9503
Immediate Actions Required
- Upgrade GNU LibreDWG to a version that includes commit 8f03865f37f5d4ffd616fef802acc980be54d300 or later
- Rebuild and redeploy any applications statically linking a vendored copy of LibreDWG after applying the patch
- Restrict ingestion of DWG files from untrusted sources until patched builds are in place
Patch Information
The fix is upstream commit 8f03865f37f5d4ffd616fef802acc980be54d300, which adds bounds checks on decompressed section address and size in src/decode.c. Track maintainer discussion in the LibreDWG Issue Tracker and the VulDB Vulnerability Report.
Workarounds
- Sandbox DWG parsing operations using containers, seccomp, or firejail so a crash in dwg_next_entity cannot affect host services
- Validate file provenance and apply size or origin filters before passing DWG content to LibreDWG-based tools
- Disable automated DWG conversion in shared services until a patched LibreDWG package is deployed
# Configuration example: rebuild LibreDWG from patched source
git clone https://github.com/LibreDWG/libredwg.git
cd libredwg
git checkout 8f03865f37f5d4ffd616fef802acc980be54d300
sh autogen.sh
./configure --disable-bindings
make -j"$(nproc)"
sudo make install
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
