CVE-2026-9503
LOWGNU LibreDWG DWG File decode.c dwg_next_entity null pointer dereference
Title source: cnaDescription
A security flaw has been discovered in GNU LibreDWG up to 0.14. This impacts the function dwg_next_entity of the file src/decode.c of the component DWG File Handler. The manipulation results in null pointer dereference. The attack must be initiated from a local position. The exploit has been released to the public and may be used for attacks. The patch is identified as 8f03865f37f5d4ffd616fef802acc980be54d300. Upgrading the affected component is advised.
References (7)
Core 7
Core References
Vdb Entry, Technical Description vdb-entry
technical-description
VDB-365485 | GNU LibreDWG DWG File decode.c dwg_next_entity null pointer dereference
https://vuldb.com/vuln/365485
Signature, Permissions Required signature
permissions-required
VDB-365485 | CTI Indicators (IOB, IOC, IOA)
https://vuldb.com/vuln/365485/cti
Third Party Advisory third-party-advisory
Submit #814260 | LibreDWG Project LibreDWG <= 0.14, main branch up to commit 6d6a339 (2026-04-10) NULL Pointer Dereference (CWE-476)
https://vuldb.com/submit/814260
Issue Tracking issue-tracking
https://github.com/LibreDWG/libredwg/issues/1245
Exploit exploit
https://github.com/HackC0der/CVE-Repos/blob/main/libredwg/libredwg_6d6a339_heap_oob_write_read_2004_compressed_section.dwg
Product product
https://www.gnu.org/
Scores
CVSS v3
3.3
EPSS
0.0014
EPSS Percentile
3.9%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-404
CWE-476
Status
published
Products (14)
GNU/LibreDWG
0.1
GNU/LibreDWG
0.10
GNU/LibreDWG
0.11
GNU/LibreDWG
0.12
GNU/LibreDWG
0.13
GNU/LibreDWG
0.14
GNU/LibreDWG
0.2
GNU/LibreDWG
0.3
GNU/LibreDWG
0.4
GNU/LibreDWG
0.5
... and 4 more
Published
May 25, 2026
Tracked Since
May 26, 2026