CVE-2026-9500 GNU CVE debrief

Who should care

Organizations using LibreDWG for DWG file processing in automated workflows, CAD data conversion pipelines, or document management systems. Security teams managing software supply chains with LibreDWG dependencies. Developers building applications that parse DWG files using LibreDWG libraries.

Technical summary

The vulnerability resides in the `read_2004_compressed_section` function within `src/decode.c` of GNU LibreDWG versions up to 0.14. A heap-based buffer overflow occurs when the Dwgread Utility processes a crafted DWG file, specifically affecting the decompression of 2004-format compressed sections. The attack requires local access and low privileges, with no user interaction needed. The vulnerability has been publicly disclosed with a proof-of-concept file available. The NVD status is 'Deferred', indicating the entry may require additional analysis or vendor coordination.

Defensive priority

LOW

Recommended defensive actions

• Restrict execution of untrusted DWG files in LibreDWG Dwgread Utility until patched
• Monitor GNU LibreDWG GitHub repository and official channels for security updates
• Apply input validation and sandboxing for DWG file processing workflows
• Review and update threat models for applications using LibreDWG for DWG file handling
• Consider alternative DWG parsing libraries if vendor responsiveness is critical to security posture

Evidence notes

The vulnerability is documented in NVD with status 'Deferred'. Multiple source references confirm the affected function (`read_2004_compressed_section`), file (`src/decode.c`), and component (Dwgread Utility). CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-122 (Heap-based Buffer Overflow) are identified as relevant weakness classifications. The CVSS 4.0 vector confirms local attack vector, low attack complexity, low privileges required, and no user interaction needed.

Official resources