{"id":"CVE-2026-9502","summary":"GNU LibreDWG Dwgread Utility decode.c decompress_R2004_section heap-based overflow","details":"A vulnerability was identified in GNU LibreDWG up to 0.14. This affects the function decompress_R2004_section of the file src/decode.c of the component Dwgread Utility. The manipulation leads to heap-based buffer overflow. The attack must be carried out locally. The exploit is publicly available and might be used. The identifier of the patch is e501cb9926c1e9a07a0d1cc997f3e69e9be801c9. To fix this issue, it is recommended to deploy a patch.","modified":"2026-07-08T08:13:42.623948909Z","published":"2026-05-25T20:45:10.399Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/9xxx/CVE-2026-9502.json","unresolved_ranges":[{"source":"AFFECTED_FIELD","extracted_events":[{"introduced":"0.1"},{"last_affected":"0.1"},{"introduced":"0.2"},{"last_affected":"0.2"}]}],"cwe_ids":["CWE-119","CWE-122"],"cna_assigner":"VulDB"},"references":[{"type":"WEB","url":"https://www.gnu.org/"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/9xxx/CVE-2026-9502.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-9502"},{"type":"ADVISORY","url":"https://vuldb.com/submit/814259"},{"type":"ADVISORY","url":"https://vuldb.com/vuln/365484"},{"type":"REPORT","url":"https://github.com/LibreDWG/libredwg/issues/1243"},{"type":"REPORT","url":"https://vuldb.com/vuln/365484/cti"},{"type":"FIX","url":"https://github.com/LibreDWG/libredwg/commit/e501cb9926c1e9a07a0d1cc997f3e69e9be801c9"},{"type":"EVIDENCE","url":"https://github.com/HackC0der/CVE-Repos/blob/main/libredwg/libredwg_6d6a339_heap_overflow_decompress_R2004_section.dwg"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/libredwg/libredwg","events":[{"introduced":"66201afa2e70bd31c22e6666e3e49be2d8bca031"},{"fixed":"e501cb9926c1e9a07a0d1cc997f3e69e9be801c9"}],"database_specific":{"source":["AFFECTED_FIELD","REFERENCES"],"extracted_events":[{"introduced":"0.3"},{"last_affected":"0.3"},{"introduced":"0.4"},{"last_affected":"0.4"},{"introduced":"0.5"},{"last_affected":"0.5"},{"introduced":"0.6"},{"last_affected":"0.6"},{"introduced":"0.7"},{"last_affected":"0.7"},{"introduced":"0.8"},{"last_affected":"0.8"},{"introduced":"0.9"},{"last_affected":"0.9"},{"introduced":"0.10"},{"last_affected":"0.10"},{"introduced":"0.11"},{"last_affected":"0.11"},{"introduced":"0.12"},{"last_affected":"0.12"},{"introduced":"0.13"},{"last_affected":"0.13"},{"introduced":"0.14"},{"last_affected":"0.14"}]}}],"versions":["0.10","0.11","0.12","0.13","0.14","0.3","0.4","0.5","0.6","0.7","0.8","0.9","0.13.4.8163","0.13.4.8160","0.13.4.8149","0.13.4.8144","0.13.4.8140","0.13.4.8131","0.13.4.8129","0.13.4.8123","0.13.4.8118","0.13.4.8115","0.13.4.8112","0.13.4.8104","0.13.4.8091","0.13.4.8085","0.13.4.8055","0.13.4.8051","0.13.4.8043","0.13.4.8036","0.13.4.8028","0.13.4.8018","0.13.4.8014","0.13.4.8001","0.13.4.7998","0.13.4.7985","0.13.4.7976","0.13.4.7974","0.13.4.7969","0.13.4","0.13.3.7918","0.13.3.7913","0.13.3.7906","0.13.3.7901","0.13.3.7897","0.13.3.7883","0.13.3.7873","0.13.3.7867","0.13.3.7861","0.13.3.7852","0.13.3.7851","0.13.3.7850","0.13.3.7849","0.13.3.7848","0.13.3.7846","0.13.3.7842","0.13.3.7835","0.13.3.7828","0.13.3.7825","0.13.3.7819","0.13.3.7816","0.13.3.7813","0.13.3.7812","0.13.3.7810","0.13.3.7808","0.13.3.7805","0.13.3.7802","0.13.3.7797","0.13.3.7794","0.13.3.7792","0.13.3.7789","0.13.3.7778","0.13.3.7776","0.13.3.7772","0.13.3.7763","0.13.3.7761","0.13.3.7752","0.13.3.7743","0.13.3.7741","0.13.3.7737","0.13.3.7730","0.13.3.7727","0.13.3.7721","0.13.3.7715","0.13.3.7702","0.13.3.7696","0.13.3.7690","0.13.3.7686","0.13.3.7685","0.13.3.7680","0.13.3.7675","0.13.3.7665","0.13.3.7663","0.13.3.7657","0.13.3.7650","0.13.3.7649","0.13.3.7646","0.13.3.7640","0.13.3.7637","0.13.3.7635","0.13.3.7603","0.13.3.7600","0.13.3.7599","0.13.3.7582","0.13.3.7577","0.13.3.7574","0.13.3.7571","0.13.3.7562","0.13.3.7558","0.13.3.7557","0.13.3.7554","0.13.3.7552","0.13.3.7551","0.13.3.7545","0.13.3.7539","0.13.3.7535","0.13.3.7534","0.13.3.7533","0.13.3.7516","0.13.3.7507","0.13.3.7501","0.13.3.7491","0.13.3.7483","0.13.3.7473","0.13.3.7472","0.13.3.7469","0.13.3.7466","0.13.3.7460","0.13.3.7456","0.13.3.7453","0.13.3.7445","0.13.3.7442","0.13.3.7437","0.13.3.7434","0.13.3.7431","0.13.3.7429","0.13.3.7426","0.13.3.7424","0.13.3.7420","0.13.3.7414","0.13.3.7412","0.13.3.7411","0.13.3.7409","0.13.3.7405","0.13.3.7385","0.13.3.7377","0.13.3.7371","0.13.3.7351","0.13.3.7345","0.13.3.7344","0.13.3.7341","0.13.3.7338","0.13.3.7327","0.13.3.7324","0.13.3.7320","0.13.3.7308","0.13.3.7306","0.13.3.7298","0.13.3.7273","0.13.3.7270","0.13.3.7268","0.13.3.7265","0.13.3.7264","0.13.3.7262","0.13.3.7259","0.13.3.7257","0.13.3.7251","0.13.3.7246","0.13.3.7240","0.13.3.7233","0.13.3.7227","0.13.3.7226","0.13.3.7225","0.13.3.7224","0.13.3.7223","0.13.3.7220","0.13.3.7217","0.13.3.7199","0.13.3.7190","0.13.3.7187","0.13.3.7186","0.13.3.7183","0.13.3.7176","0.13.3.7168","0.13.3.7166","0.13.3.7165","0.13.3.7163","0.13.3","0.13.2","0.13.1","0.12.5","0.12.4","0.12.3","0.12.2","0.12.1","0.11.1","0.10.1","0.9.3","0.9.2","0.9.1","0.6.2","0.6.1","0.4.938","0.4.924","0.4.900","0.4-dev"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-9502.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"}]}