Live Active security incident? Get immediate response
CVE Record

CVE-2026-9529: GNU LibreDWG Dwggrep Utility dwggrep.c match_BLOCK_HEADER null pointer dereference

A security flaw has been discovered in GNU LibreDWG up to 0.14. The affected element is the function match_BLOCK_HEADER of the file dwggrep.c of the component Dwggrep Utility. Performing a manipulation results in null pointer dereference. The attack requires a local approach. The exploit has been released to the public and may be used for attacks.

MediumCVSS 4.8Not KEV-listed Updated
Discuss exposure Back to CVEs
Glexia's Take moderate

Analyst readout for executives and security teams

Plain-English summary

CVE-2026-9529 is a crash flaw in GNU LibreDWG's dwggrep utility. A crafted or manipulated local use case can trigger a null pointer dereference and disrupt availability. The sources do not indicate data theft, remote compromise, or active exploitation, but they do state a public exploit exists.

Executive priority

Treat this as a moderate operational risk. Prioritize environments that process external CAD/DWG files or provide shared local access. It is not presented as a remote takeover issue, but public exploit availability justifies timely containment and vendor tracking.

Technical view

The flaw affects match_BLOCK_HEADER in dwggrep.c within GNU LibreDWG Dwggrep Utility up to 0.14. It is classified as CWE-476 and CWE-404, with CVSS 4.0 score 4.8. The vector is local, low complexity, low privileges, no user interaction, and low vulnerable-system availability impact.

Likely exposure

Exposure is mainly systems where GNU LibreDWG dwggrep is installed and callable by local users or automated DWG-processing jobs. Listed affected versions are 0.1 through 0.14. The supplied sources do not indicate internet-facing exposure or impact to other GNU components.

Exploitation context

The bundle states exploit material has been released publicly and may be used for attacks. KEV status is false, and no supplied source confirms active exploitation. The attacker needs local access and low privileges according to the CVSS vector.

Researcher notes

Evidence is sufficient for affected component, version range, weakness type, and local availability impact. Evidence is incomplete on a fixed release, practical exploit reliability, and real-world exploitation. Do not infer impact beyond dwggrep or GNU LibreDWG versions named in the sources.

Mitigation direction

  • Inventory systems running GNU LibreDWG versions 0.1 through 0.14.
  • Avoid processing untrusted DWG files with dwggrep until vendor guidance is confirmed.
  • Restrict dwggrep execution to trusted users and controlled automation paths.
  • Run DWG processing in a sandboxed or low-impact environment where practical.
  • Monitor GNU LibreDWG and issue tracker references for an official fix or workaround.

Validation and detection

  • Check installed LibreDWG versions against the affected range in the CVE record.
  • Identify scheduled jobs, scripts, or user workflows that invoke dwggrep.
  • Review crash logs for dwggrep failures during BLOCK_HEADER processing or DWG scanning.
  • Confirm untrusted DWG files are not processed on production or shared systems.
  • Track whether upstream issue 1247 or CVE records add patch information.
Prepared
Confidence
medium
Sources
8

Public sources used

Based on public source material and reviewed before publication.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · low confidence lookup

CWE-404: Exact CWE lookup

Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
cwe · low confidence lookup

CWE-476: Exact CWE lookup

Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2026-9529 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profile CVE Program record
Severity
Medium
CVSS
4.8 (4.0)
Known Exploited
No
Published

Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

4 CVSS vectors
6 Timeline events
1 ADP providers
7 Source links

SSVC decision data

CISA-ADP CISA Coordinator
Timestamp
Version
2.0.3
Exploitation: pocAutomatable: noTechnical Impact: partial

CVSS vector scores

4 official scores

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

Score Version Severity Vector Exploit Impact Source
4.8 CVSS 4.0 Medium CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P VulDB
3.3 CVSS 3.1 Low CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C 1.8 1.4 VulDB
3.3 CVSS 3.0 Low CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C 1.8 1.4 VulDB
1.7 CVSS 2.0 Low AV:L/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C 3.1 2.9 VulDB

Vulnerability scoring details

Base CVSS 4.0 score

4.8 Medium
CVSS 4.0 vector shape for CVE-2026-9529 Attack VectorAttack ComplexityAttack RequirementsPrivileges RequiredUser InteractionVS ConfidentialityVS IntegrityVS AvailabilitySS ConfidentialitySS IntegritySS Availability

Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Attack Requirements
NonePresent
Privileges Required
NoneLowHigh
User Interaction
NonePassiveActive
VS Confidentiality
HighLowNone
VS Integrity
HighLowNone
VS Availability
HighLowNone
SS Confidentiality
HighLowNone
SS Integrity
HighLowNone
SS Availability
HighLowNone

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. Source timeline VulDB

    Advisory disclosed

  2. Source timeline VulDB

    VulDB entry created

  3. CVE reserved CVE Program

    The CVE ID was reserved by the assigning CNA.

  4. Source timeline VulDB

    VulDB entry last update

  5. CVE published CVE Program

    The CVE record was published.

  6. CVE updated CVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADP CISA ADP Vulnrichment
other:ssvc

Source materials

Affected products

Products and packages named in the record

Vendor Product Version / package Status
GNU LibreDWG 0.1, 0.2, 0.3, 0.4, 0.5, 0.6, 0.7, 0.8, 0.9, 0.10, 0.11, 0.12, 0.13, 0.14 Listed
Weakness

CWE details

CWE-404CWE-476

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.

CWE-404 · source CWE mapping

Improper Resource Shutdown or Release

Improper Resource Shutdown or Release represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.

Open CWE intelligence Same-CWE CVEs
CWE-476 · source CWE mapping

NULL Pointer Dereference

NULL Pointer Dereference represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.

Open CWE intelligence Same-CWE CVEs