CVE-2026-9501
Deferred Deferred - Pending Action
Heap-based Assertion Failure in GNU LibreDWG

Publication date: 2026-05-25

Last updated on: 2026-05-25

Assigner: VulDB

Description
A vulnerability was determined in GNU LibreDWG up to 0.14. The impacted element is the function decompress_R2004_section of the file src/decode.c of the component Dwgread Utility. Executing a manipulation can lead to reachable assertion. The attack is restricted to local execution. The exploit has been publicly disclosed and may be utilized. This patch is called e501cb9926c1e9a07a0d1cc997f3e69e9be801c9. A patch should be applied to remediate this issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-25
Last Modified
2026-05-25
Generated
2026-06-15
AI Q&A
2026-05-26
EPSS Evaluated
2026-06-14
NVD
CVE-2026-9501
EUVD
EUVD-2026-31737
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
gnu libredwg to 0.14 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-617 The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in GNU LibreDWG up to version 0.14, specifically in the decompress_R2004_section function within the src/decode.c file of the Dwgread Utility component. It can be triggered by a local attacker manipulating the function, which leads to a reachable assertion, potentially causing unexpected behavior or crashes. The vulnerability has been publicly disclosed and a patch is available to fix the issue.

Impact Analysis

The impact of this vulnerability is limited due to its low severity score and the requirement for local access. Exploiting it can cause a reachable assertion, which may lead to application crashes or denial of service. There is no indication of data disclosure or privilege escalation. However, the exploit is publicly known, so unpatched systems remain at risk.

Mitigation Strategies

To mitigate this vulnerability, you should apply the patch identified as e501cb9926c1e9a07a0d1cc997f3e69e9be801c9 to the GNU LibreDWG software.

Since the attack is restricted to local execution, limiting local access and ensuring that only trusted users have access to the system can also help reduce risk.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9501. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart