CVE-2026-9504 GNU CVE debrief

Who should care

System administrators managing multi-user environments with LibreDWG installations, security teams tracking local privilege escalation vectors, and developers integrating LibreDWG components into CAD processing pipelines

Technical summary

The vulnerability resides in the `bit_convert_TU` function within `programs/dwggrep.c` of GNU LibreDWG versions up to 0.14. The function fails to properly validate bounds when processing data, resulting in an out-of-bounds read condition. This is classified under CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-125 (Out-of-bounds Read). The attack requires local access to the system and exploitation involves manipulation of the Dwggrep utility. The CVSS 4.0 vector indicates local attack vector (AV:L), low attack complexity (AC:L), low privileges required (PR:L), and no user interaction (UI:N), with low confidentiality impact (VC:L) and no integrity or availability impact. A fix has been committed to the official repository.

Defensive priority

low

Recommended defensive actions

• Apply the official patch from commit be996bf2178a40e98720f18c2414815d244413db to address the out-of-bounds read in bit_convert_TU
• Upgrade to LibreDWG version 0.15 or later when available
• Restrict local access to the Dwggrep utility on multi-user systems
• Monitor for suspicious local activity involving crafted DWG files
• Review local file permissions to limit untrusted user access to the utility

Evidence notes

Vulnerability details sourced from NVD and Vuldb. Patch commit verified through official LibreDWG repository. CWE-119 and CWE-125 identified as applicable weaknesses.

Official resources