GNU LibreDWG DWG File decode.c dwg_next_entity null pointer dereference

4.8 / 10

MEDIUM

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P

Description

A security flaw has been discovered in GNU LibreDWG up to 0.14. This impacts the function dwg_next_entity of the file src/decode.c of the component DWG File Handler. The manipulation results in null pointer dereference. The attack must be initiated from a local position. The exploit has been released to the public and may be used for attacks. The patch is identified as 8f03865f37f5d4ffd616fef802acc980be54d300. Upgrading the affected component is advised.

Basic Information

ID CVE-2026-9503

Source VulDB

Published May 25, 2026 at 21:00

Affected Product

Vendor GNU

Product LibreDWG

Version 0.1

Affected Versions GNU LibreDWG 0.1
GNU LibreDWG 0.2
GNU LibreDWG 0.3
GNU LibreDWG 0.4
GNU LibreDWG 0.5
GNU LibreDWG 0.6
GNU LibreDWG 0.7
GNU LibreDWG 0.8
GNU LibreDWG 0.9
GNU LibreDWG 0.10
GNU LibreDWG 0.11
GNU LibreDWG 0.12
GNU LibreDWG 0.13
GNU LibreDWG 0.14

CWE Classification

CWE-476 CWE-404

References

{
    "lastseen": "",
    "description": "A security flaw has been discovered in GNU LibreDWG up to 0.14. This impacts the function dwg_next_entity of the file src/decode.c of the component DWG File Handler. The manipulation results in null pointer dereference. The attack must be initiated from a local position. The exploit has been released to the public and may be used for attacks. The patch is identified as 8f03865f37f5d4ffd616fef802acc980be54d300. Upgrading the affected component is advised.",
    "published": "2026-05-25T21:00:16.085Z",
    "modified": "2026-05-25T21:00:16.085Z",
    "type": "cve",
    "title": "GNU LibreDWG DWG File decode.c dwg_next_entity null pointer dereference",
    "source": "VulDB",
    "references": "https://vuldb.com/vuln/365485\nhttps://vuldb.com/vuln/365485/cti\nhttps://vuldb.com/submit/814260\nhttps://github.com/LibreDWG/libredwg/issues/1245\nhttps://github.com/HackC0der/CVE-Repos/blob/main/libredwg/libredwg_6d6a339_heap_oob_write_read_2004_compressed_section.dwg\nhttps://github.com/LibreDWG/libredwg/commit/8f03865f37f5d4ffd616fef802acc980be54d300\nhttps://www.gnu.org/",
    "id": "CVE-2026-9503",
    "bulletinFamily": "",
    "cwe": [
        "CWE-476",
        "CWE-404"
    ],
    "cvelist": null,
    "sourceData": "GNU LibreDWG 0.1\nGNU LibreDWG 0.2\nGNU LibreDWG 0.3\nGNU LibreDWG 0.4\nGNU LibreDWG 0.5\nGNU LibreDWG 0.6\nGNU LibreDWG 0.7\nGNU LibreDWG 0.8\nGNU LibreDWG 0.9\nGNU LibreDWG 0.10\nGNU LibreDWG 0.11\nGNU LibreDWG 0.12\nGNU LibreDWG 0.13\nGNU LibreDWG 0.14",
    "sourceHref": "",
    "cvss": {
        "score": 4.8,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "LibreDWG",
    "version": "0.1",
    "vendor": "GNU",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

GNU LibreDWG DWG File decode.c dwg_next_entity null pointer dereference_CVE-2026-9503