Description
A weakness has been identified in GNU LibreDWG up to 0.14. The impacted element is the function read_2004_compressed_section of the file src/decode.c of the component Dwgbmp Utility. Executing a manipulation can lead to out-of-bounds read. The attack requires local access. The exploit has been made available to the public and could be used for attacks. This patch is called 8f03865f37f5d4ffd616fef802acc980be54d300. It is advisable to implement a patch to correct this issue.
Published: 2026-05-26
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability exists in the read_2004_compressed_section function of src/decode.c in the Dwgbmp Utility of GNU LibreDWG. Executing a specially crafted DWG file can trigger an out-of-bounds read, allowing local attackers to access arbitrary memory content. The flaw is not exploitable remotely and requires local access, but a public exploit is available.

Affected Systems

GNU LibreDWG, versions up to and including 0.14.

Risk and Exploitability

The CVSS score is 4.8, indicating moderate severity. EPSS data is not available and the vulnerability is not listed in CISA KEV. Because the exploit is publicly available and local execution is required, the risk is moderate but requires timely remediation.

Generated by OpenCVE AI on May 26, 2026 at 06:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official patch corresponding to commit 8f03865f37f5d4ffd616fef802acc980be54d300 or upgrade LibreDWG to a version newer than 0.14.
  • Limit local access to the Dwgbmp utility or restrict processing of DWG files to trusted sources.
  • Monitor the system for suspicious use of the Dwgbmp utility and for patterns of local execution that may indicate exploitation attempts.

Generated by OpenCVE AI on May 26, 2026 at 06:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 26 May 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 26 May 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Low

Tue, 26 May 2026 05:00:00 +0000

Type Values Removed Values Added
Description A weakness has been identified in GNU LibreDWG up to 0.14. The impacted element is the function read_2004_compressed_section of the file src/decode.c of the component Dwgbmp Utility. Executing a manipulation can lead to out-of-bounds read. The attack requires local access. The exploit has been made available to the public and could be used for attacks. This patch is called 8f03865f37f5d4ffd616fef802acc980be54d300. It is advisable to implement a patch to correct this issue.
Title GNU LibreDWG Dwgbmp Utility decode.c read_2004_compressed_section out-of-bounds
First Time appeared Gnu
Gnu libredwg
Weaknesses CWE-119
CWE-125
CPEs cpe:2.3:a:gnu:libredwg:*:*:*:*:*:*:*:*
Vendors & Products Gnu
Gnu libredwg
References
Metrics cvssV2_0

{'score': 1.7, 'vector': 'AV:L/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 3.3, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 3.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Gnu Libredwg
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-26T15:16:51.780Z

Reserved: 2026-05-25T19:39:02.809Z

Link: CVE-2026-9530

cve-icon Vulnrichment

Updated: 2026-05-26T15:16:18.360Z

cve-icon NVD

Status : Received

Published: 2026-05-26T05:16:19.197

Modified: 2026-05-26T16:16:30.820

Link: CVE-2026-9530

cve-icon Redhat

Severity : Low

Publid Date: 2026-05-26T04:30:11Z

Links: CVE-2026-9530 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-26T06:30:36Z

Weaknesses