CVE-2026-9530 Overview
CVE-2026-9530 affects GNU LibreDWG up to version 0.14, a free C library for reading and writing DWG files. The flaw resides in the read_2004_compressed_section function within src/decode.c, part of the Dwgbmp utility component. A crafted DWG file can trigger an out-of-bounds read during decompression of the 2004-format section. Exploitation requires local access and low privileges, with no user interaction. A public proof-of-concept exists, and upstream maintainers shipped commit 8f03865f37f5d4ffd616fef802acc980be54d300 to remediate the issue.
Critical Impact
Processing a malicious DWG file with a vulnerable LibreDWG build causes an out-of-bounds read in the decompression routine, leading to information disclosure or process termination [CWE-119].
Affected Products
- GNU LibreDWG versions up to and including 0.14
- Applications and utilities linking against vulnerable LibreDWG builds (including dwgbmp)
- Downstream Linux distributions packaging affected LibreDWG releases
Discovery Timeline
- 2026-05-26 - CVE-2026-9530 published to NVD
- 2026-05-26 - Last updated in NVD database
- Patch commit - 8f03865f37f5d4ffd616fef802acc980be54d300 published in the LibreDWG repository
Technical Details for CVE-2026-9530
Vulnerability Analysis
The defect is a memory boundary violation [CWE-119] inside read_2004_compressed_section, which parses compressed sections of AutoCAD 2004-format DWG containers. The function computes section size and address values directly from attacker-controlled header fields. When those fields exceed the allocated decompression buffer or the underlying data stream, the loop reads past the end of the buffer. The result is an out-of-bounds read on heap memory, exposing adjacent allocation contents or crashing the parser. Because the Dwgbmp utility and library are commonly invoked through file-handling workflows, malicious DWG files reach the vulnerable code without privileged operations.
Root Cause
The function trusted decoded fields es.fields.address and es.fields.page_size without validating them against the destination buffer size (max_decomp_size) or the source buffer size (dec.size). Missing bounds checks allowed address + size to exceed allocated memory before the copy loop completed.
Attack Vector
An attacker with local access supplies a crafted DWG file to a user or service that processes it with LibreDWG. The parser dereferences out-of-range offsets during section decompression. Exploitation does not require elevated privileges and runs in the context of the invoking user.
= MIN ((BITCODE_RL)(info->size - es.fields.address),
es.fields.page_size);
if (info->compressed == 2 || bytes_left < 0
+ || es.fields.address > max_decomp_size
|| es.fields.address + size > max_decomp_size
+ || es.fields.address + size > dec.size
|| offset + size > dat->size)
{
LOG_ERROR ("Some section size or address out of bounds");
Source: LibreDWG commit 8f03865 — the patch adds two new guards that reject sections whose decoded address exceeds max_decomp_size or whose address + size exceeds dec.size, blocking the out-of-bounds read before the copy loop executes.
Detection Methods for CVE-2026-9530
Indicators of Compromise
- Crashes or abnormal terminations in processes loading the libredwg shared object while parsing DWG input
- Presence of the proof-of-concept sample libredwg_6d6a339_heap_oob_write_read_2004_compressed_section.dwg referenced in the public PoC repository
- AddressSanitizer or Valgrind reports flagging heap-buffer-overflow reads inside read_2004_compressed_section
Detection Strategies
- Inventory binaries linked against vulnerable LibreDWG using package managers (dpkg -l | grep libredwg, rpm -qa | grep libredwg) and SBOM tooling
- Run fuzz harnesses or AddressSanitizer-instrumented builds against untrusted DWG files in a sandbox
- Hash-compare DWG files against the public PoC sample and alert on matches
Monitoring Recommendations
- Forward crash dumps from systems running DWG converters and CAD pipelines to a central log store for review
- Alert on unexpected child processes or segmentation faults from utilities such as dwgbmp, dwgread, and dwgwrite
- Track DWG file ingress through email gateways, file shares, and web upload endpoints to identify untrusted sources
How to Mitigate CVE-2026-9530
Immediate Actions Required
- Update LibreDWG to a build that includes commit 8f03865f37f5d4ffd616fef802acc980be54d300 or a later release beyond 0.14
- Rebuild and redistribute internal tools statically linked against vulnerable LibreDWG versions
- Restrict execution of LibreDWG utilities to trusted DWG sources until patching is complete
Patch Information
The upstream fix is published as commit 8f03865f37f5d4ffd616fef802acc980be54d300 in the LibreDWG repository. The patch adds bounds validation for the decoded section address and size before the decompression loop reads from the buffer. Issue tracking is available in the LibreDWG GitHub issue #1248 and the VulDB report 365549.
Workarounds
- Process untrusted DWG files inside a sandbox or container with no access to sensitive data
- Run LibreDWG utilities under a dedicated low-privilege account with strict filesystem ACLs
- Disable automated DWG ingestion pipelines until the patched library is deployed
# Verify installed LibreDWG version and rebuild from patched source
libredwg-config --version
git clone https://github.com/LibreDWG/libredwg.git
cd libredwg
git checkout 8f03865f37f5d4ffd616fef802acc980be54d300
./autogen.sh
./configure --disable-bindings
make && sudo make install
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
