OOB Read in GNU LibreDWG (pre-0.14) Dwgbmp Utility
CVE-2026-9530 Published on May 26, 2026

GNU LibreDWG Dwgbmp Utility decode.c read_2004_compressed_section out-of-bounds
A weakness has been identified in GNU LibreDWG up to 0.14. The impacted element is the function read_2004_compressed_section of the file src/decode.c of the component Dwgbmp Utility. Executing a manipulation can lead to out-of-bounds read. The attack requires local access. The exploit has been made available to the public and could be used for attacks. This patch is called 8f03865f37f5d4ffd616fef802acc980be54d300. It is advisable to implement a patch to correct this issue.

NVD

Timeline

Advisory disclosed

VulDB entry created

VulDB entry last update

Weakness Types

Out-of-bounds Read

The software reads data past the end, or before the beginning, of the intended buffer. Typically, this can allow attackers to read sensitive information from other memory locations or cause a crash. A crash can occur when the code reads a variable amount of data and assumes that a sentinel exists to stop the read operation, such as a NUL in a string. The expected sentinel might not be located in the out-of-bounds memory, causing excessive data to be read, leading to a segmentation fault or a buffer overflow. The software may modify an index or perform pointer arithmetic that references a memory location that is outside of the boundaries of the buffer. A subsequent read operation then produces undefined or unexpected results.

What is a Buffer Overflow Vulnerability?

The software performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.

CVE-2026-9530 has been classified to as a Buffer Overflow vulnerability or weakness.


Products Associated with CVE-2026-9530

Want to know whenever a new CVE is published for GNU Libredwg? stack.watch will email you.

GNU Libredwg
 

Affected Versions

GNU LibreDWG: