Description
Heap buffer overflow vulnerability in LibreDWG versions v0.13.3.7571 up to v0.13.3.7835 allows a crafted DWG file to cause a Denial of Service (DoS) via the function decompress_R2004_section at decode.c.
Published: 2026-03-12
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply Patch
AI Analysis

Impact

A heap buffer overflow occurs in the function decompress_R2004_section in decode.c when parsing a crafted DWG file. The overflow enables an attacker to force the LibreDWG library to crash, resulting in a denial of service. The vulnerability is a classic example of an out‑of‑bounds write (CWE‑122).

Affected Systems

LibreDWG versions 0.13.3.7571 through 0.13.3.7835 are affected. Any system that uses these releases to read or process DWG files is potentially vulnerable.

Risk and Exploitability

The CVSS score is 6.5, indicating moderate severity. EPSS is below 1 %, indicating a low probability of exploitation in production. The vulnerability is not listed in the CISA KEV catalog. The attack vector is file‑based; an adversary can deliver a malicious DWG file to a user of the affected LibreDWG version to trigger the crash. Although the likelihood of widespread exploitation is low, the impact on availability makes patching advisable.

Generated by OpenCVE AI on March 18, 2026 at 14:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade LibreDWG to a version newer than 0.13.3.7835

Generated by OpenCVE AI on March 18, 2026 at 14:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Mar 2026 15:45:00 +0000

Type Values Removed Values Added
Title Heap Buffer Overflow in LibreDWG Leading to Denial of Service via DWG File Decompression

Sat, 14 Mar 2026 04:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-122
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 13 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Libredwg
Libredwg libredwg
Vendors & Products Libredwg
Libredwg libredwg

Thu, 12 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Description Heap buffer overflow vulnerability in LibreDWG versions v0.13.3.7571 up to v0.13.3.7835 allows a crafted DWG file to cause a Denial of Service (DoS) via the function decompress_R2004_section at decode.c.
References

Subscriptions

Libredwg Libredwg
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-14T03:37:22.667Z

Reserved: 2025-09-26T00:00:00.000Z

Link: CVE-2025-61154

cve-icon Vulnrichment

Updated: 2026-03-14T03:37:17.594Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-12T19:16:14.753

Modified: 2026-03-16T14:18:00.103

Link: CVE-2025-61154

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T15:36:36Z

Weaknesses