PatchSiren cyber security CVE debrief

CVE-2026-9502 GNU CVE debrief

A heap-based buffer overflow vulnerability exists in GNU LibreDWG through version 0.14, specifically within the `decompress_R2004_section` function in `src/decode.c`. The vulnerability affects the Dwgread Utility component and requires local access to exploit. The CVSS 4.0 score of 1.9 reflects low severity due to local attack vector and low privileges required, though the exploit is publicly available. A patch has been committed to address this issue.

Vendor: GNU
Product: LibreDWG
CVSS: LOW 1.9
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-05-25
Original CVE updated: 2026-05-26
Advisory published: 2026-05-25
Advisory updated: 2026-05-26

Who should care

Organizations using GNU LibreDWG for DWG file processing, particularly in environments where untrusted files may be handled. System administrators maintaining CAD file conversion or analysis pipelines.

Technical summary

The vulnerability resides in the `decompress_R2004_section` function within `src/decode.c` of GNU LibreDWG versions up to 0.14. A heap-based buffer overflow can be triggered during DWG file processing, potentially leading to memory corruption. The attack requires local access with low privileges. The fix is available via commit e501cb9926c1e9a07a0d1cc997f3e69e9be801c9.

Defensive priority

low

Recommended defensive actions

Upgrade GNU LibreDWG to a version incorporating commit e501cb9926c1e9a07a0d1cc997f3e69e9be801c9 or later
Restrict local access to systems processing untrusted DWG files
Monitor for updated releases from the LibreDWG project
Validate DWG file sources before processing with libredwg utilities

Evidence notes

Vulnerability confirmed via NVD with deferred status. Patch commit e501cb9926c1e9a07a0d1cc997f3e69e9be801c9 identified in source references. CWE-119 and CWE-122 classified. Public exploit availability noted in CVSS vector (E:P).

Official resources

2026-05-25