CVE-2026-9501
Deferred Deferred - Pending Action

Heap-based Assertion Failure in GNU LibreDWG

Vulnerability report for CVE-2026-9501, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-05-25

Last updated on: 2026-05-25

Assigner: VulDB

Description

A vulnerability was determined in GNU LibreDWG up to 0.14. The impacted element is the function decompress_R2004_section of the file src/decode.c of the component Dwgread Utility. Executing a manipulation can lead to reachable assertion. The attack is restricted to local execution. The exploit has been publicly disclosed and may be utilized. This patch is called e501cb9926c1e9a07a0d1cc997f3e69e9be801c9. A patch should be applied to remediate this issue.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-05-25
Last Modified
2026-05-25
Generated
2026-07-05
AI Q&A
2026-05-26
EPSS Evaluated
2026-07-04
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
gnu libredwg to 0.14 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-617 The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in GNU LibreDWG up to version 0.14, specifically in the decompress_R2004_section function within the src/decode.c file of the Dwgread Utility component. It can be triggered by a local attacker manipulating the function, which leads to a reachable assertion, potentially causing unexpected behavior or crashes. The vulnerability has been publicly disclosed and a patch is available to fix the issue.

Impact Analysis

The impact of this vulnerability is limited due to its low severity score and the requirement for local access. Exploiting it can cause a reachable assertion, which may lead to application crashes or denial of service. There is no indication of data disclosure or privilege escalation. However, the exploit is publicly known, so unpatched systems remain at risk.

Mitigation Strategies

To mitigate this vulnerability, you should apply the patch identified as e501cb9926c1e9a07a0d1cc997f3e69e9be801c9 to the GNU LibreDWG software.

Since the attack is restricted to local execution, limiting local access and ensuring that only trusted users have access to the system can also help reduce risk.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9501. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart