CVE-2026-9504 Overview
CVE-2026-9504 is an out-of-bounds read vulnerability in GNU LibreDWG versions up to 0.14. The flaw resides in the bit_convert_TU function within programs/dwggrep.c, part of the Dwggrep Utility component. An attacker can trigger the issue by supplying a crafted DWG file processed locally by the dwggrep tool, causing the function to read past the bounds of an allocated heap buffer. A public proof-of-concept exists in a GitHub repository, but exploitation requires local access and low privileges. The weakness is classified under CWE-119, improper restriction of operations within the bounds of a memory buffer.
Critical Impact
A local attacker with a malicious DWG file can cause dwggrep to read out-of-bounds memory, leading to information disclosure or process crash.
Affected Products
- GNU LibreDWG versions up to and including 0.14
- dwggrep utility shipped with LibreDWG
- Downstream packages bundling vulnerable LibreDWG builds
Discovery Timeline
- 2026-05-25 - CVE-2026-9504 published to NVD
- 2026-05-26 - Last updated in NVD database
- Patch commit - be996bf2178a40e98720f18c2414815d244413db merged into LibreDWG upstream
Technical Details for CVE-2026-9504
Vulnerability Analysis
The vulnerability is an out-of-bounds heap read inside bit_convert_TU, the helper that converts UTF-16 (BITCODE_TU) wide strings to UTF-8 byte strings. When dwggrep searches LTYPE objects in DWG files produced by AutoCAD R2007 or later, it passes pointers into the dashes[i].text field without verifying that the wide string is null-terminated within the surrounding strings_area buffer. bit_convert_TU then walks the string until it encounters a NUL word, reading past the end of the heap allocation when the input is unterminated.
The primary impact is local information disclosure and denial of service through process crash. The vulnerability does not directly enable code execution and cannot be triggered remotely. It affects developers, CAD users, and automated pipelines that scan untrusted DWG files using dwggrep.
Root Cause
The root cause is missing bounds enforcement on the source buffer passed to bit_convert_TU. The function assumes input wide strings are NUL-terminated within their containing allocation. When a crafted LTYPE dash entry points into a strings_area whose remaining bytes contain no terminating NUL word, the read pointer advances beyond the allocation.
Attack Vector
An attacker crafts a DWG file with malformed LTYPE dash text entries and delivers it to a victim who runs dwggrep against the file. The attack requires local execution with low privileges and no user interaction beyond invoking the utility on attacker-supplied input.
// Upstream fix in src/bits.c introduces a bounded conversion variant
// Source: https://github.com/LibreDWG/libredwg/commit/be996bf2178a40e98720f18c2414815d244413db
/* Bounded variant: returns NULL if not null-terminated within max_wchars. */
char *
bit_convert_TU_len (const BITCODE_TU restrict wstr, const size_t max_wchars)
{
BITCODE_TU tmp = wstr;
char *str;
size_t wlen = 0;
int i, len = 0;
uint16_t c = 0;
if (!wstr || !max_wchars)
return NULL;
wlen = bit_wcs2nlen (wstr, max_wchars);
if (wlen == 0 && wstr[0] != 0)
return NULL; /* not null-terminated within max_wchars */
The corresponding caller in programs/dwggrep.c computes a max_wchars bound from the strings_area size before invoking the new bounded helper, ensuring the conversion stops within the allocated region.
Detection Methods for CVE-2026-9504
Indicators of Compromise
- Unexpected crashes or AddressSanitizer reports from dwggrep processes referencing bit_convert_TU in the stack trace
- DWG files containing malformed LTYPE objects with dash text entries lacking proper NUL termination within the strings_area
- Presence of the proof-of-concept file libredwg_6d6a339_heap_overflow_bit_convert_TU.dwg or files derived from it on developer workstations
Detection Strategies
- Build LibreDWG with AddressSanitizer (-fsanitize=address) in test environments and replay suspect DWG files to surface out-of-bounds reads.
- Inventory installed LibreDWG packages across Linux distributions and flag versions at or below 0.14.
- Monitor invocations of dwggrep against files originating outside trusted sources or shared file repositories.
Monitoring Recommendations
- Log process execution of dwggrep and correlate with the file path argument to identify scans of untrusted input.
- Alert on segmentation faults or abnormal exits from LibreDWG utilities recorded by systemd-coredump or dmesg.
- Track package versions of LibreDWG through configuration management to confirm patched binaries are deployed.
How to Mitigate CVE-2026-9504
Immediate Actions Required
- Update LibreDWG to a build that includes commit be996bf2178a40e98720f18c2414815d244413db or later.
- Restrict dwggrep execution to trusted DWG inputs until the patch is applied.
- Rebuild downstream packages and container images that statically link or bundle LibreDWG.
Patch Information
The upstream fix is delivered in commit be996bf2178a40e98720f18c2414815d244413db. The patch introduces bit_convert_TU_len, a bounded variant of bit_convert_TU that returns NULL if the wide string is not NUL-terminated within max_wchars. The dwggrep LTYPE handler is updated to compute a maximum wide-character count from the strings_area allocation before calling the bounded helper. See GitHub Issue #1246 and the VulDB entry #365486 for additional context.
Workarounds
- Avoid running dwggrep against DWG files received from untrusted sources until LibreDWG is updated.
- Process suspect DWG files inside sandboxed or containerized environments with no access to sensitive data.
- Replace use of dwggrep with alternative CAD inspection tooling for high-risk batch scanning workflows.
# Verify the installed LibreDWG version and rebuild from patched source
dwggrep --version
git clone https://github.com/LibreDWG/libredwg.git
cd libredwg
git checkout be996bf2178a40e98720f18c2414815d244413db
sh autogen.sh
./configure --enable-write
make && sudo make install
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
