CVE-2026-9530 GNU CVE debrief

Who should care

Organizations using GNU LibreDWG for DWG file processing, particularly in automated or multi-user environments where untrusted DWG files may be processed. System administrators maintaining CAD file conversion pipelines and developers integrating LibreDWG into document processing workflows should prioritize patching.

Technical summary

The vulnerability resides in the read_2004_compressed_section function within src/decode.c of GNU LibreDWG 0.14 and earlier. This function handles decompression of DWG file sections in the 2004 format. An out-of-bounds read can occur when processing malformed compressed section data, potentially leading to information disclosure or application instability. The attack requires local access to execute manipulation against the Dwgbmp Utility or other components utilizing the affected decode functionality.

Defensive priority

low

Recommended defensive actions

• Apply the official patch commit 8f03865f37f5d4ffd616fef802acc980be54d300 from the LibreDWG repository
• Upgrade to LibreDWG version 0.15 or later when available
• Restrict local access to DWG file processing utilities on multi-user systems
• Monitor for suspicious DWG file handling activity on affected systems
• Validate DWG file inputs before processing through LibreDWG utilities

Evidence notes

The vulnerability was reported to VulDB (submission 814275) and assigned VulDB entry 365549. The issue was tracked as GitHub issue #1248 in the LibreDWG repository. The patch commit was made available through the official LibreDWG GitHub repository.

Official resources