LiveActive security incident?Get immediate response
CVE Record

CVE-2020-21819: A heap based buffer overflow vulnerability exists in GNU LibreDWG 0.10.2641via htmlescape ../../programs/es...

A heap based buffer overflow vulnerability exists in GNU LibreDWG 0.10.2641via htmlescape ../../programs/escape.c:51.

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysisunknown

Security readout for executives and security teams

Plain-English summary

This CVE describes a heap-based buffer overflow in GNU LibreDWG 0.10.2641, in the htmlescape logic in programs/escape.c. The public record does not provide CVSS, confirmed affected product metadata, exploit evidence, or a named fix. Treat this as a targeted dependency and toolchain exposure question, not a broadly proven emergency.

Executive priority

Prioritize discovery before emergency response. The issue is a memory-safety flaw, but public evidence is sparse: no CVSS, no KEV listing, no confirmed active exploitation, and no clear fix in the provided sources.

Technical view

The cited vulnerability is memory corruption at escape.c:51 in LibreDWG 0.10.2641 htmlescape. A heap buffer overflow may affect processes that invoke the vulnerable code path. The provided sources do not establish remote reachability, privilege impact, reliable exploitation, fixed versions, or affected downstream packages.

Likely exposure

Exposure is most likely where GNU LibreDWG 0.10.2641 or tools built from it process untrusted DWG-related content. The source bundle lists affected vendor/product as n/a, so downstream package and application exposure is not confirmed.

Exploitation context

The source bundle does not show CISA KEV inclusion and provides no cited evidence of active exploitation. It also does not document public exploit maturity, attacker prerequisites, or whether this is reachable through network-facing workflows.

Researcher notes

Key gaps are affected product metadata, CVSS, fixed version, reachability, and impact beyond heap corruption. Research should focus on confirming the vulnerable code path in deployed builds and mapping any applications that feed attacker-controlled files into LibreDWG.

Mitigation direction

  • Identify any LibreDWG 0.10.2641 use in build, conversion, or document-processing workflows.
  • Check GNU LibreDWG project guidance for fixed versions or recommended remediation.
  • Avoid processing untrusted DWG-related content through affected tooling until remediated.
  • Run document conversion tools with least privilege and isolation where practical.
  • Track package manager advisories for downstream LibreDWG builds.

Validation and detection

  • Inventory installed LibreDWG versions and embedded copies in applications or containers.
  • Confirm whether htmlescape or affected escape functionality is reachable in your workflows.
  • Review vendor issue and CVE records for fix or version clarification.
  • Check logs for crashes in LibreDWG-based conversion or parsing jobs.
  • Document any compensating isolation around affected processing paths.
Prepared
Confidence
medium
Sources
3

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2020-21819 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
1ADP providers
2Source links

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CVECVE Program Container
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
n/an/an/aListed
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.