PatchSiren cyber security CVE debrief
CVE-2026-9605 GNU CVE debrief
A heap-based buffer overflow vulnerability exists in GNU libredwg through version 0.13.4.8160, specifically within the bit_read_RC function in bits.c, which is part of the Dwgbmp Utility component. The vulnerability is remotely exploitable and has been assigned a CVSS 4.0 score of 5.5 (MEDIUM). The issue was published on 2026-05-27. A proof-of-concept exploit has been made publicly available, increasing the risk of active exploitation. The vulnerability stems from improper bounds checking during memory operations, classified under CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-122 (Heap-based Buffer Overflow). A patch has been committed to address this issue.
- Vendor
- GNU
- Product
- libredwg
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-27
- Original CVE updated
- 2026-05-28
- Advisory published
- 2026-05-27
- Advisory updated
- 2026-05-28
Who should care
Organizations using GNU libredwg for DWG file processing, particularly in automated or network-accessible workflows. Software vendors integrating libredwg into CAD-related applications. Security teams monitoring for memory corruption vulnerabilities in file parsing libraries. Infrastructure operators running services that process untrusted DWG file uploads.
Technical summary
The vulnerability resides in the bit_read_RC function within bits.c of GNU libredwg's Dwgbmp Utility component. This function appears to handle reading of raw character data during DWG file processing. The heap-based buffer overflow condition can be triggered when processing malformed DWG files, potentially allowing remote attackers to corrupt memory and achieve code execution. The vulnerability affects versions up to and including 0.13.4.8160. The attack vector is network-based with low complexity, requiring no authentication or user interaction. Public exploit availability increases the urgency for patching.
Defensive priority
medium
Recommended defensive actions
- Apply the official patch commit 8f03865f37f5d4ffd616fef802acc980be54d300 to remediate the heap-based buffer overflow vulnerability
- Upgrade to libredwg version containing the patch commit 8f03865f37f5d4ffd616fef802acc980be54d300 or later
- Review and restrict network exposure of systems processing untrusted DWG files through the Dwgbmp Utility component
- Monitor for suspicious DWG file processing activity that may indicate exploitation attempts
- Implement application-level input validation for DWG files prior to processing by libredwg
- Consider sandboxing or isolating libredwg-based applications that handle external DWG file sources
Evidence notes
The vulnerability description identifies the affected function (bit_read_RC), source file (bits.c), and component (Dwgbmp Utility). The CVSS 4.0 vector indicates network attack vector with low attack complexity and no required privileges or user interaction. The exploit availability flag (E:P) confirms public exploit existence. The patch commit hash 8f03865f37f5d4ffd616fef802acc980be54d300 is explicitly referenced in source materials.
Official resources
public