CVE-2026-9501 GNU CVE debrief

Who should care

Organizations using GNU LibreDWG for DWG file processing, particularly in automated or multi-user environments where local file processing occurs. System administrators maintaining LibreDWG installations should prioritize patching. Developers integrating LibreDWG libraries should update dependencies. Security teams should assess exposure based on local user access to DWG processing tools.

Technical summary

The decompress_R2004_section function in src/decode.c of GNU LibreDWG 0.14 and earlier contains a reachable assertion vulnerability. Local attackers can trigger this assertion failure through manipulated input to the Dwgread Utility. The vulnerability is classified as CWE-617 (Reachable Assertion) with a LOW severity CVSS 4.0 score of 1.9 due to the local attack vector and limited availability impact. A fix has been committed to the project repository.

Defensive priority

LOW

Recommended defensive actions

• Apply patch commit e501cb9926c1e9a07a0d1cc997f3e69e9be801c9 to remediate the reachable assertion vulnerability in decompress_R2004_section
• Upgrade to LibreDWG version containing the patch commit
• Restrict local access to Dwgread Utility where patching is not immediately feasible
• Monitor for updated stable releases from the LibreDWG project
• Review local file processing workflows for untrusted DWG file handling

Evidence notes

Vulnerability confirmed through official CVE record and NVD entry. Patch commit verified in LibreDWG repository. Exploit demonstration file publicly available. Vendor attribution to GNU LibreDWG project based on source references.

Official resources