Analyst readout for executives and security teams
Plain-English summary
CVE-2026-9530 affects GNU LibreDWG through version 0.14. A local user can trigger an out-of-bounds read in the Dwgbmp utility when handling a crafted DWG file. The rated impact is limited availability loss, but a public proof artifact exists, so exposed systems should patch promptly.
Executive priority
Treat this as a targeted, moderate operational risk. It is not evidenced as actively exploited or remotely reachable, but public exploit material and file-processing exposure justify near-term patching where LibreDWG handles external DWG files.
Technical view
The issue is in src/decode.c, function read_2004_compressed_section, within the Dwgbmp utility. Sources classify it as CWE-119 and CWE-125, with CVSS 4.0 score 4.8. The attack vector is local, low complexity, low privileges, no user interaction, and low availability impact. Patch commit 8f03865f37f5d4ffd616fef802acc980be54d300 is referenced.
Likely exposure
Exposure is most likely where GNU LibreDWG 0.1 through 0.14 or affected main-branch builds are installed and dwgbmp processes DWG files from users, partners, CI jobs, conversion services, or shared workstations.
Exploitation context
The source bundle says exploit material is public. KEV is false, and no cited source in the bundle confirms active exploitation in the wild. Local access and low privileges are required, so internet-wide remote compromise is not supported by the provided evidence.
Researcher notes
Do not assume products beyond GNU LibreDWG from the provided sources. The public artifact supports exploit availability, not confirmed in-the-wild activity. Focus validation on affected versions, dwgbmp reachability, untrusted DWG processing, and whether the named patch is present.
Mitigation direction
- Apply LibreDWG patch commit 8f03865f37f5d4ffd616fef802acc980be54d300 or a vendor release containing it.
- Restrict dwgbmp processing of untrusted DWG files until patched.
- Prioritize systems where DWG conversion runs on shared hosts or automation workers.
- Monitor LibreDWG and GNU guidance for any corrected release or additional mitigation.
- Rebuild dependent packages that bundle or statically link affected LibreDWG code.
Validation and detection
- Inventory LibreDWG versions and flag 0.1 through 0.14 as affected.
- Confirm whether dwgbmp is installed or invoked in production workflows.
- Check package source or build metadata for patch commit 8f03865f37f5d4ffd616fef802acc980be54d300.
- Review file-ingestion paths for untrusted DWG inputs.
- Run normal conversion regression tests after updating LibreDWG.
Public sources used
Based on public source material and reviewed before publication.
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
CWE-119: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
Open ATT&CK lookupCWE-125: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
Open ATT&CK lookupCVE-2026-9530 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
Open ATT&CK lookup- Severity
- Medium
- CVSS
- 4.8 (4.0)
- Known Exploited
- No
- Published
Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P
CNA and ADP enrichment extracted from CVE v5
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
SSVC decision data
CVSS vector scores
4 official scoresWe collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P — — VulDB CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C 1.8 1.4 VulDB CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C 1.8 1.4 VulDB AV:L/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C 3.1 2.9 VulDB Vulnerability scoring details
Base CVSS 4.0 score
4.8 MediumVector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P
Base CVSS 3.1 score
3.3 LowVector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C
Base CVSS 3.0 score
3.3 LowVector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C
Base CVSS 2.0 score
1.7 LowVector: AV:L/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C
Vulnerability timeline
Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.
- Source timeline VulDB
Advisory disclosed
- Source timeline VulDB
VulDB entry created
- CVE reserved CVE Program
The CVE ID was reserved by the assigning CNA.
- Source timeline VulDB
VulDB entry last update
- CVE published CVE Program
The CVE record was published.
- CVE updated CVE Program
The CVE record metadata indicates this as the latest update time.
ADP provider summaries
Source materials
- CVE List V5 source CVE List V5
- VDB-365549 | GNU LibreDWG Dwgbmp Utility decode.c read_2004_compressed_section out-of-bounds CVE reference, VulDB · vdb-entry, technical-description
- VDB-365549 | CTI Indicators (IOB, IOC, IOA) CVE reference, VulDB · signature, permissions-required
- Submit #814275 | LibreDWG Project LibreDWG <= 0.14, main branch up to commit 6d6a339 (2026-04-10) Out-of-bounds Read (CWE-125) CVE reference, VulDB · third-party-advisory
- https://github.com/LibreDWG/libredwg/issues/1248 CVE reference, VulDB · issue-tracking
- https://github.com/HackC0der/CVE-Repos/blob/main/libredwg/libredwg_6d6a339_heap_oob_write_read_2004_compressed_section.dwg CVE reference, VulDB · exploit
- https://github.com/LibreDWG/libredwg/commit/8f03865f37f5d4ffd616fef802acc980be54d300 CVE reference, VulDB · patch
- https://www.gnu.org/ CVE reference, VulDB · product
Products and packages named in the record
CWE details
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
Improper Restriction of Operations within the Bounds of a Memory Buffer
Improper Restriction of Operations within the Bounds of a Memory Buffer represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.
Out-of-bounds Read
Out-of-bounds Read represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.