LibreDWG 0.14 Null Deref in dwg_next_entity (Local)
CVE-2026-9503 Published on May 25, 2026
GNU LibreDWG DWG File decode.c dwg_next_entity null pointer dereference
A security flaw has been discovered in GNU LibreDWG up to 0.14. This impacts the function dwg_next_entity of the file src/decode.c of the component DWG File Handler. The manipulation results in null pointer dereference. The attack must be initiated from a local position. The exploit has been released to the public and may be used for attacks. The patch is identified as 8f03865f37f5d4ffd616fef802acc980be54d300. Upgrading the affected component is advised.
Timeline
Advisory disclosed
VulDB entry created
VulDB entry last update
Weakness Types
NULL Pointer Dereference
A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit. NULL pointer dereference issues can occur through a number of flaws, including race conditions, and simple programming omissions.
Improper Resource Shutdown or Release
The program does not release or incorrectly releases a resource before it is made available for re-use. When a resource is created or allocated, the developer is responsible for properly releasing the resource as well as accounting for all potential paths of expiration or invalidation, such as a set period of time or revocation.
Products Associated with CVE-2026-9503
Want to know whenever a new CVE is published for GNU Libredwg? stack.watch will email you.
Affected Versions
GNU LibreDWG:- Version 0.1 is affected.
- Version 0.2 is affected.
- Version 0.3 is affected.
- Version 0.4 is affected.
- Version 0.5 is affected.
- Version 0.6 is affected.
- Version 0.7 is affected.
- Version 0.8 is affected.
- Version 0.9 is affected.
- Version 0.10 is affected.
- Version 0.11 is affected.
- Version 0.12 is affected.
- Version 0.13 is affected.
- Version 0.14 is affected.