Analyst readout for executives and security teams
Plain-English summary
CVE-2026-9503 is a crash risk in GNU LibreDWG when handling malformed DWG files. It affects versions up to 0.14 and involves a null pointer dereference in DWG decoding. Business impact is mainly availability disruption for systems that process DWG files, especially from untrusted users or automated intake pipelines.
Executive priority
Treat as a moderate-priority availability issue. Patch promptly where LibreDWG processes untrusted or business-critical DWG files. Lower priority is reasonable for isolated developer tools that do not ingest external files, but public exploit availability raises the urgency above routine maintenance.
Technical view
The flaw is in src/decode.c, function dwg_next_entity, within the DWG file handler. Sources describe CWE-476 and CWE-404 behavior, with CVSS 4.0 score 4.8. The vector is local, low complexity, low privileges, no user interaction, and limited availability impact without stated confidentiality or integrity impact.
Likely exposure
Exposure is most likely where LibreDWG is installed on workstations, conversion services, CI jobs, or backend systems that parse DWG files. Risk increases if DWG files come from external users, partners, email attachments, support portals, or automated file processing queues.
Exploitation context
The source bundle says exploit material has been publicly released and may be used for attacks. CISA KEV status is false in the bundle, and no cited source confirms active exploitation. The attack is described as local rather than network-reachable.
Researcher notes
Evidence supports a local denial-of-service style crash through null pointer dereference in dwg_next_entity. The bundle references a public exploit artifact and a specific patch commit. It does not provide evidence of active exploitation, remote reachability, or confidentiality/integrity compromise.
Mitigation direction
- Inventory all LibreDWG deployments and identify versions 0.14 or earlier.
- Upgrade to a release or build containing commit 8f03865f37f5d4ffd616fef802acc980be54d300.
- Restrict processing of untrusted DWG files until patched.
- Run DWG parsing with least privilege and process isolation.
- Monitor LibreDWG and VulDB references for vendor release guidance.
Validation and detection
- Confirm whether installed LibreDWG versions are 0.14 or earlier.
- Verify patched builds include commit 8f03865f37f5d4ffd616fef802acc980be54d300.
- Map applications and jobs that call LibreDWG on user-supplied DWG files.
- Run controlled regression tests for malformed DWG handling after upgrading.
- Check crash logs for LibreDWG decoder failures in affected workflows.
Public sources used
Based on public source material and reviewed before publication.
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
CWE-404: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
Open ATT&CK lookupCWE-476: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
Open ATT&CK lookupCVE-2026-9503 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
Open ATT&CK lookup- Severity
- Medium
- CVSS
- 4.8 (4.0)
- Known Exploited
- No
- Published
Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P
CNA and ADP enrichment extracted from CVE v5
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
SSVC decision data
CVSS vector scores
4 official scoresWe collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P — — VulDB CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C 1.8 1.4 VulDB CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C 1.8 1.4 VulDB AV:L/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C 3.1 2.9 VulDB Vulnerability scoring details
Base CVSS 4.0 score
4.8 MediumVector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P
Base CVSS 3.1 score
3.3 LowVector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C
Base CVSS 3.0 score
3.3 LowVector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C
Base CVSS 2.0 score
1.7 LowVector: AV:L/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C
Vulnerability timeline
Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.
- Source timeline VulDB
Advisory disclosed
- Source timeline VulDB
VulDB entry created
- CVE reserved CVE Program
The CVE ID was reserved by the assigning CNA.
- Source timeline VulDB
VulDB entry last update
- CVE published CVE Program
The CVE record was published.
- CVE updated CVE Program
The CVE record metadata indicates this as the latest update time.
ADP provider summaries
Source materials
- CVE List V5 source CVE List V5
- VDB-365485 | GNU LibreDWG DWG File decode.c dwg_next_entity null pointer dereference CVE reference, VulDB · vdb-entry, technical-description
- VDB-365485 | CTI Indicators (IOB, IOC, IOA) CVE reference, VulDB · signature, permissions-required
- Submit #814260 | LibreDWG Project LibreDWG <= 0.14, main branch up to commit 6d6a339 (2026-04-10) NULL Pointer Dereference (CWE-476) CVE reference, VulDB · third-party-advisory
- https://github.com/LibreDWG/libredwg/issues/1245 CVE reference, VulDB · issue-tracking
- https://github.com/HackC0der/CVE-Repos/blob/main/libredwg/libredwg_6d6a339_heap_oob_write_read_2004_compressed_section.dwg CVE reference, VulDB · exploit
- https://github.com/LibreDWG/libredwg/commit/8f03865f37f5d4ffd616fef802acc980be54d300 CVE reference, VulDB · patch
- https://www.gnu.org/ CVE reference, VulDB · product
Products and packages named in the record
CWE details
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
Improper Resource Shutdown or Release
Improper Resource Shutdown or Release represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.
NULL Pointer Dereference
NULL Pointer Dereference represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.