lowCVE-2026-15182

GNU LibreDWG dwg_bmp Heap Buffer Overflow Vulnerability

A vulnerability has been found in GNU LibreDWG up to 0.13.4. The affected element is the function dwg_bmp of the file src/dwg.c of the component BMP Image Handler. Such manipulation leads to heap-based buffer overflow. The attack must be carried out locally. The exploit has been disclosed to the public and may be used. Upgrading to version 0.14 is sufficient to fix this issue. The name of the patch is 18fd542bb4d5ccedf9de12052bf50068b2b26f06. It is suggested to upgrade the affected component.

ProductLibreDWG
CVSS1.9
EPSSNot scored yet
UpdatedJuly 10, 2026

Quick answer

GNU LibreDWG should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.

Who is affected

Affected versions

  • GNU LibreDWG up to 0.13.4

Fixed versions

  • 0.14

How to fix it

GNU LibreDWG up to 0.13.4 is affected by a heap-based buffer overflow in the dwg_bmp BMP image handler. Upgrade to LibreDWG 0.14 or later and rebuild dependent tools. Treat public DWG upload or conversion services as higher priority because attackers can submit crafted files for processing.

  1. Inventory LibreDWG installations and applications that parse DWG files or embedded BMP image data.
  2. Upgrade GNU LibreDWG to version 0.14 or later.
  3. Rebuild dependent packages, containers, conversion services, and static binaries.
  4. Run DWG processing in sandboxed workers with memory limits and no unnecessary filesystem access.
  5. Review crash reports and uploaded DWG samples for heap overflow indicators in dwg_bmp.
  6. Quarantine suspicious files submitted before patching.
  7. Add malformed BMP-in-DWG regression tests to the media/file processing pipeline.

Scan now. Google sign-in is only needed to unlock fix guidance.

Verify the fix

  • Confirm deployed LibreDWG tooling reports version 0.14 or later.
  • Validate malformed DWG files no longer trigger heap overflow crashes.
  • Review processing logs for repeated crashes or suspicious samples.
  • Test normal DWG parsing and conversion workflows after the update.
  • Run a Fixnx scan for public file upload workflows if LibreDWG is used behind the site.

Related categories

Trusted references

FAQ

What is affected by CVE-2026-15182?

GNU LibreDWG versions listed as affected should be reviewed: GNU LibreDWG up to 0.13.4.

What should I fix first?

Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.

How do I confirm the fix worked?

Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.

Why can this risk appear in multiple categories?

A vulnerability can belong to more than one platform or ecosystem. Fixnx keeps one canonical risk page while also listing it in every relevant category.