Description
A security flaw has been discovered in GNU LibreDWG up to 0.14. The affected element is the function match_BLOCK_HEADER of the file dwggrep.c of the component Dwggrep Utility. Performing a manipulation results in null pointer dereference. The attack requires a local approach. The exploit has been released to the public and may be used for attacks.
Published: 2026-05-26
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

GNU LibreDWG contains a null pointer dereference in the match_BLOCK_HEADER function of dwggrep.c. The flaw can be triggered by a local attacker manipulating the input to dwggrep, causing the program to crash or behave unpredictably. The impact is a denial of service on the host system, potentially allowing local users to disrupt services that rely on LibreDWG utilities.

Affected Systems

The vulnerability affects installations of GNU LibreDWG version 0.14 and earlier. Any system running these versions and invoking the dwggrep utility is susceptible.

Risk and Exploitability

The CVSS score of 4.8 indicates a moderate risk level. EPSS data is not available, and the issue is not listed in the CISA KEV catalog. The exploit is local only and requires an attacker with access to the affected system to manipulate dwggrep’s input. Publicly available exploits have been released, raising the practical risk for unpatched systems.

Generated by OpenCVE AI on May 26, 2026 at 06:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade LibreDWG to a release newer than 0.14 that contains the fix for the match_BLOCK_HEADER null pointer dereference.
  • Restrict the local use of the dwggrep utility to privileged accounts, preventing untrusted users from executing it until the issue is resolved.
  • If an upgrade cannot be performed immediately, run dwggrep in a sandboxed or isolated environment and monitor for abnormal behavior, thereby limiting the potential impact on the host system.

Generated by OpenCVE AI on May 26, 2026 at 06:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 26 May 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 26 May 2026 05:00:00 +0000

Type Values Removed Values Added
Description A security flaw has been discovered in GNU LibreDWG up to 0.14. The affected element is the function match_BLOCK_HEADER of the file dwggrep.c of the component Dwggrep Utility. Performing a manipulation results in null pointer dereference. The attack requires a local approach. The exploit has been released to the public and may be used for attacks.
Title GNU LibreDWG Dwggrep Utility dwggrep.c match_BLOCK_HEADER null pointer dereference
First Time appeared Gnu
Gnu libredwg
Weaknesses CWE-404
CWE-476
CPEs cpe:2.3:a:gnu:libredwg:*:*:*:*:*:*:*:*
Vendors & Products Gnu
Gnu libredwg
References
Metrics cvssV2_0

{'score': 1.7, 'vector': 'AV:L/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 3.3, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 3.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Gnu Libredwg
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-26T12:45:02.086Z

Reserved: 2026-05-25T19:38:59.163Z

Link: CVE-2026-9529

cve-icon Vulnrichment

Updated: 2026-05-26T12:44:56.481Z

cve-icon NVD

Status : Received

Published: 2026-05-26T05:16:19.030

Modified: 2026-05-26T05:16:19.030

Link: CVE-2026-9529

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-26T07:30:35Z

Weaknesses