Heap-Based Buffer Overflow in GNU LibreDWG Affecting Decompression Function
CVE-2026-15520

4.8MEDIUM

Key Information:

Vendor

Gnu

Status
Vendor
CVE Published:
13 July 2026

Badges

πŸ‘Ύ Exploit Exists🟑 Public PoC

What is CVE-2026-15520?

A vulnerability exists in the R2004 Section Decompression function of GNU LibreDWG version 0.13.4-154-g0b573035 that may lead to a heap-based buffer overflow if exploited. This issue requires local access to be successfully executed. The vulnerability is linked to the decompress_R2004_section function found in src/decode.c, which can allow an attacker to manipulate the heap memory. A patch has been released in version 0.14.8396 to resolve this issue. Users are strongly encouraged to upgrade their installations to mitigate potential risks.

Affected Version(s)

LibreDWG 0.13.4-154-g0b573035

LibreDWG 0.14.8396

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

References

CVSS V4

Score:
4.8
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • 🟑

    Public PoC available

  • πŸ‘Ύ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

Ech06 (VulDB User)
.