Nixpkgs security tracker

Untriaged

Permalink CVE-2026-9605

5.5 MEDIUM

CVSS version (CVSS): 4.0
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Attack Requirement (AT): None (N)
Privileges Required (PR): None (N)
User Interaction (UI): None (N)
Vulnerable System Impact Confidentiality (VC): Low (L)
Vulnerable System Impact Integrity (VI): Low (L)
Vulnerable System Impact Availability (VA): Low (L)
Subsequent System Impact Confidentiality (SC): None (N)
Subsequent System Impact Integrity (SI): None (N)
Subsequent System Impact Availability (SA): None (N)
Exploit Maturity (E): POC (P)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Attack Requirement (MAT): None (N)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): None (N)
Modified Vulnerable System Impact Confidentiality (MVC): Low (L)
Modified Vulnerable System Impact Integrity (MVI): Low (L)
Modified Vulnerable System Impact Availability (MVA): Low (L)
Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
Modified Subsequent System Impact Integrity (MSI): Negligible (N)
Modified Subsequent System Impact Availability (MSA): Negligible (N)
Safety (S): Not Defined (X)
Automatable (AU): Not Defined (X)
Recovery (R): Not Defined (X)
Value Density (V): Not Defined (X)
Vulnerability Response Effort (RE): Not Defined (X)
Provider Urgency (U): Not Defined (X)
Confidentiality Req. (CR): Not Defined (X)
Integrity Req. (IR): Not Defined (X)
Availability Req. (AR): Not Defined (X)

created 5 days, 20 hours ago Activity log

Created suggestion 5 days, 20 hours ago

GNU libredwg Dwgbmp Utility bits.c bit_read_RC heap-based overflow

A flaw has been found in GNU libredwg up to 0.13.4.8160. This issue affects the function bit_read_RC of the file bits.c of the component Dwgbmp Utility. This manipulation causes heap-based buffer overflow. The attack is possible to be carried out remotely. The exploit has been published and may be used. Patch name: 8f03865f37f5d4ffd616fef802acc980be54d300. Applying a patch is the recommended action to fix this issue.

References

VDB-365678 | GNU libredwg Dwgbmp Utility bits.c bit_read_RC heap-based overflow vdb-entrytechnical-description
VDB-365678 | CTI Indicators (IOB, IOC, IOA) signaturepermissions-required
Submit #818197 | LibreDWG libredwg (including the dwgbmp utility) 0.13.4.8160 Buffer Overflow third-party-advisory
https://github.com/LibreDWG/libredwg/issues/1248 issue-tracking
https://github.com/HackC0der/CVE-Repos/blob/main/libredwg/libredwg_6d6a339_heap… exploit
https://github.com/LibreDWG/libredwg/commit/8f03865f37f5d4ffd616fef802acc980be5… patch
https://www.gnu.org/ productbroken-link

Affected products

libredwg

==0.13.4.8160

Matching in nixpkgs

pkgs.libredwg

Free implementation of the DWG file format

nixos-unstable 0.13.4
- nixpkgs-unstable 0.13.4
- nixos-unstable-small 0.13.4
nixos-25.11 0.13.3
- nixos-25.11-small 0.13.3
- nixpkgs-25.11-darwin 0.13.3

pkgs.python312Packages.libredwg

Free implementation of the DWG file format

nixos-25.11 0.13.3
- nixos-25.11-small 0.13.3
- nixpkgs-25.11-darwin 0.13.3

pkgs.python313Packages.libredwg

Free implementation of the DWG file format

nixos-unstable 0.13.4
- nixpkgs-unstable 0.13.4
- nixos-unstable-small 0.13.4
nixos-25.11 0.13.3
- nixos-25.11-small 0.13.3
- nixpkgs-25.11-darwin 0.13.3

pkgs.python314Packages.libredwg

Free implementation of the DWG file format

nixos-unstable 0.13.4
- nixpkgs-unstable 0.13.4
- nixos-unstable-small 0.13.4

Package maintainers

@thorstenweber83 Thorsten Weber <tw+nixpkgs@360vier.de>

Untriaged

Permalink CVE-2026-9529

1.9 LOW

CVSS version (CVSS): 4.0
Attack Vector (AV): Local (L)
Attack Complexity (AC): Low (L)
Attack Requirement (AT): None (N)
Privileges Required (PR): Low (L)
User Interaction (UI): None (N)
Vulnerable System Impact Confidentiality (VC): None (N)
Vulnerable System Impact Integrity (VI): None (N)
Vulnerable System Impact Availability (VA): Low (L)
Subsequent System Impact Confidentiality (SC): None (N)
Subsequent System Impact Integrity (SI): None (N)
Subsequent System Impact Availability (SA): None (N)
Exploit Maturity (E): POC (P)
Modified Attack Vector (MAV): Local (L)
Modified Attack Complexity (MAC): Low (L)
Modified Attack Requirement (MAT): None (N)
Modified Privileges Required (MPR): Low (L)
Modified User Interaction (MUI): None (N)
Modified Vulnerable System Impact Confidentiality (MVC): None (N)
Modified Vulnerable System Impact Integrity (MVI): None (N)
Modified Vulnerable System Impact Availability (MVA): Low (L)
Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
Modified Subsequent System Impact Integrity (MSI): Negligible (N)
Modified Subsequent System Impact Availability (MSA): Negligible (N)
Safety (S): Not Defined (X)
Automatable (AU): Not Defined (X)
Recovery (R): Not Defined (X)
Value Density (V): Not Defined (X)
Vulnerability Response Effort (RE): Not Defined (X)
Provider Urgency (U): Not Defined (X)
Confidentiality Req. (CR): Not Defined (X)
Integrity Req. (IR): Not Defined (X)
Availability Req. (AR): Not Defined (X)

created 5 days, 20 hours ago Activity log

Created suggestion 5 days, 20 hours ago

GNU LibreDWG Dwggrep Utility dwggrep.c match_BLOCK_HEADER null pointer dereference

A security flaw has been discovered in GNU LibreDWG up to 0.14. The affected element is the function match_BLOCK_HEADER of the file dwggrep.c of the component Dwggrep Utility. Performing a manipulation results in null pointer dereference. The attack requires a local approach. The exploit has been released to the public and may be used for attacks.

References

VDB-365548 | GNU LibreDWG Dwggrep Utility dwggrep.c match_BLOCK_HEADER null pointer dereference vdb-entrytechnical-description
VDB-365548 | CTI Indicators (IOB, IOC, IOA) signaturepermissions-required
Submit #814273 | LibreDWG Project LibreDWG <= 0.14, main branch up to commit 6d6a339 (2026-04-10) NULL Pointer Dereference (CWE-476) third-party-advisory
https://github.com/LibreDWG/libredwg/issues/1247 issue-tracking
https://github.com/HackC0der/CVE-Repos/blob/main/libredwg/libredwg_6d6a339_heap… exploit
https://www.gnu.org/ product

Affected products

LibreDWG

==0.8
==0.6
==0.9
==0.4
==0.13
==0.12
==0.3
==0.10
==0.11
==0.2
==0.5
==0.7
==0.1
==0.14

Matching in nixpkgs

pkgs.libredwg

Free implementation of the DWG file format

nixos-unstable 0.13.4
- nixpkgs-unstable 0.13.4
- nixos-unstable-small 0.13.4
nixos-25.11 0.13.3
- nixos-25.11-small 0.13.3
- nixpkgs-25.11-darwin 0.13.3

pkgs.python312Packages.libredwg

Free implementation of the DWG file format

nixos-25.11 0.13.3
- nixos-25.11-small 0.13.3
- nixpkgs-25.11-darwin 0.13.3

pkgs.python313Packages.libredwg

Free implementation of the DWG file format

nixos-unstable 0.13.4
- nixpkgs-unstable 0.13.4
- nixos-unstable-small 0.13.4
nixos-25.11 0.13.3
- nixos-25.11-small 0.13.3
- nixpkgs-25.11-darwin 0.13.3

pkgs.python314Packages.libredwg

Free implementation of the DWG file format

nixos-unstable 0.13.4
- nixpkgs-unstable 0.13.4
- nixos-unstable-small 0.13.4

Package maintainers

@thorstenweber83 Thorsten Weber <tw+nixpkgs@360vier.de>

Untriaged

Permalink CVE-2026-9530

1.9 LOW

CVSS version (CVSS): 4.0
Attack Vector (AV): Local (L)
Attack Complexity (AC): Low (L)
Attack Requirement (AT): None (N)
Privileges Required (PR): Low (L)
User Interaction (UI): None (N)
Vulnerable System Impact Confidentiality (VC): None (N)
Vulnerable System Impact Integrity (VI): None (N)
Vulnerable System Impact Availability (VA): Low (L)
Subsequent System Impact Confidentiality (SC): None (N)
Subsequent System Impact Integrity (SI): None (N)
Subsequent System Impact Availability (SA): None (N)
Exploit Maturity (E): POC (P)
Modified Attack Vector (MAV): Local (L)
Modified Attack Complexity (MAC): Low (L)
Modified Attack Requirement (MAT): None (N)
Modified Privileges Required (MPR): Low (L)
Modified User Interaction (MUI): None (N)
Modified Vulnerable System Impact Confidentiality (MVC): None (N)
Modified Vulnerable System Impact Integrity (MVI): None (N)
Modified Vulnerable System Impact Availability (MVA): Low (L)
Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
Modified Subsequent System Impact Integrity (MSI): Negligible (N)
Modified Subsequent System Impact Availability (MSA): Negligible (N)
Safety (S): Not Defined (X)
Automatable (AU): Not Defined (X)
Recovery (R): Not Defined (X)
Value Density (V): Not Defined (X)
Vulnerability Response Effort (RE): Not Defined (X)
Provider Urgency (U): Not Defined (X)
Confidentiality Req. (CR): Not Defined (X)
Integrity Req. (IR): Not Defined (X)
Availability Req. (AR): Not Defined (X)

created 5 days, 20 hours ago Activity log

Created suggestion 5 days, 20 hours ago

GNU LibreDWG Dwgbmp Utility decode.c read_2004_compressed_section out-of-bounds

A weakness has been identified in GNU LibreDWG up to 0.14. The impacted element is the function read_2004_compressed_section of the file src/decode.c of the component Dwgbmp Utility. Executing a manipulation can lead to out-of-bounds read. The attack requires local access. The exploit has been made available to the public and could be used for attacks. This patch is called 8f03865f37f5d4ffd616fef802acc980be54d300. It is advisable to implement a patch to correct this issue.

References

VDB-365549 | GNU LibreDWG Dwgbmp Utility decode.c read_2004_compressed_section out-of-bounds vdb-entrytechnical-description
VDB-365549 | CTI Indicators (IOB, IOC, IOA) signaturepermissions-required
Submit #814275 | LibreDWG Project LibreDWG <= 0.14, main branch up to commit 6d6a339 (2026-04-10) Out-of-bounds Read (CWE-125) third-party-advisory
https://github.com/LibreDWG/libredwg/issues/1248 issue-trackingexploit
https://github.com/HackC0der/CVE-Repos/blob/main/libredwg/libredwg_6d6a339_heap… exploit
https://github.com/LibreDWG/libredwg/commit/8f03865f37f5d4ffd616fef802acc980be5… patch
https://www.gnu.org/ product

Affected products

LibreDWG

==0.8
==0.6
==0.9
==0.4
==0.13
==0.3
==0.12
==0.10
==0.11
==0.2
==0.5
==0.7
==0.1
==0.14

Matching in nixpkgs

pkgs.libredwg

Free implementation of the DWG file format

nixos-unstable 0.13.4
- nixpkgs-unstable 0.13.4
- nixos-unstable-small 0.13.4
nixos-25.11 0.13.3
- nixos-25.11-small 0.13.3
- nixpkgs-25.11-darwin 0.13.3

pkgs.python312Packages.libredwg

Free implementation of the DWG file format

nixos-25.11 0.13.3
- nixos-25.11-small 0.13.3
- nixpkgs-25.11-darwin 0.13.3

pkgs.python313Packages.libredwg

Free implementation of the DWG file format

nixos-unstable 0.13.4
- nixpkgs-unstable 0.13.4
- nixos-unstable-small 0.13.4
nixos-25.11 0.13.3
- nixos-25.11-small 0.13.3
- nixpkgs-25.11-darwin 0.13.3

pkgs.python314Packages.libredwg

Free implementation of the DWG file format

nixos-unstable 0.13.4
- nixpkgs-unstable 0.13.4
- nixos-unstable-small 0.13.4

Package maintainers

@thorstenweber83 Thorsten Weber <tw+nixpkgs@360vier.de>

Untriaged

Permalink CVE-2026-9501

1.9 LOW

CVSS version (CVSS): 4.0
Attack Vector (AV): Local (L)
Attack Complexity (AC): Low (L)
Attack Requirement (AT): None (N)
Privileges Required (PR): Low (L)
User Interaction (UI): None (N)
Vulnerable System Impact Confidentiality (VC): None (N)
Vulnerable System Impact Integrity (VI): None (N)
Vulnerable System Impact Availability (VA): Low (L)
Subsequent System Impact Confidentiality (SC): None (N)
Subsequent System Impact Integrity (SI): None (N)
Subsequent System Impact Availability (SA): None (N)
Exploit Maturity (E): POC (P)
Modified Attack Vector (MAV): Local (L)
Modified Attack Complexity (MAC): Low (L)
Modified Attack Requirement (MAT): None (N)
Modified Privileges Required (MPR): Low (L)
Modified User Interaction (MUI): None (N)
Modified Vulnerable System Impact Confidentiality (MVC): None (N)
Modified Vulnerable System Impact Integrity (MVI): None (N)
Modified Vulnerable System Impact Availability (MVA): Low (L)
Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
Modified Subsequent System Impact Integrity (MSI): Negligible (N)
Modified Subsequent System Impact Availability (MSA): Negligible (N)
Safety (S): Not Defined (X)
Automatable (AU): Not Defined (X)
Recovery (R): Not Defined (X)
Value Density (V): Not Defined (X)
Vulnerability Response Effort (RE): Not Defined (X)
Provider Urgency (U): Not Defined (X)
Confidentiality Req. (CR): Not Defined (X)
Integrity Req. (IR): Not Defined (X)
Availability Req. (AR): Not Defined (X)

created 6 days, 20 hours ago Activity log

Created suggestion 6 days, 20 hours ago

GNU LibreDWG Dwgread Utility decode.c decompress_R2004_section assertion

A vulnerability was determined in GNU LibreDWG up to 0.14. The impacted element is the function decompress_R2004_section of the file src/decode.c of the component Dwgread Utility. Executing a manipulation can lead to reachable assertion. The attack is restricted to local execution. The exploit has been publicly disclosed and may be utilized. This patch is called e501cb9926c1e9a07a0d1cc997f3e69e9be801c9. A patch should be applied to remediate this issue.

References

VDB-365483 | GNU LibreDWG Dwgread Utility decode.c decompress_R2004_section assertion technical-descriptionvdb-entry
VDB-365483 | CTI Indicators (IOB, IOC, IOA) signaturepermissions-required
Submit #814250 | LibreDWG Project LibreDWG <= 0.14, main branch up to commit 6d6a339 (released 2026-04-10) Reachable Assertion (CWE-617) third-party-advisory
https://github.com/LibreDWG/libredwg/issues/1242 issue-tracking
https://github.com/HackC0der/CVE-Repos/blob/main/libredwg/libredwg_6d6a339_asse… exploit
https://github.com/LibreDWG/libredwg/commit/e501cb9926c1e9a07a0d1cc997f3e69e9be… patch
https://www.gnu.org/ product

Affected products

LibreDWG

==0.14
==0.9
==0.3
==0.13
==0.6
==0.7
==0.1
==0.8
==0.12
==0.4
==0.2
==0.10
==0.5
==0.11

Matching in nixpkgs

pkgs.libredwg

Free implementation of the DWG file format

nixos-unstable 0.13.4
- nixpkgs-unstable 0.13.4
- nixos-unstable-small 0.13.4
nixos-25.11 0.13.3
- nixos-25.11-small 0.13.3
- nixpkgs-25.11-darwin 0.13.3

pkgs.python312Packages.libredwg

Free implementation of the DWG file format

nixos-25.11 0.13.3
- nixos-25.11-small 0.13.3
- nixpkgs-25.11-darwin 0.13.3

pkgs.python313Packages.libredwg

Free implementation of the DWG file format

nixos-unstable 0.13.4
- nixpkgs-unstable 0.13.4
- nixos-unstable-small 0.13.4
nixos-25.11 0.13.3
- nixos-25.11-small 0.13.3
- nixpkgs-25.11-darwin 0.13.3

pkgs.python314Packages.libredwg

Free implementation of the DWG file format

nixos-unstable 0.13.4
- nixpkgs-unstable 0.13.4
- nixos-unstable-small 0.13.4

Package maintainers

@thorstenweber83 Thorsten Weber <tw+nixpkgs@360vier.de>

Untriaged

Permalink CVE-2026-9502

1.9 LOW

CVSS version (CVSS): 4.0
Attack Vector (AV): Local (L)
Attack Complexity (AC): Low (L)
Attack Requirement (AT): None (N)
Privileges Required (PR): Low (L)
User Interaction (UI): None (N)
Vulnerable System Impact Confidentiality (VC): Low (L)
Vulnerable System Impact Integrity (VI): Low (L)
Vulnerable System Impact Availability (VA): Low (L)
Subsequent System Impact Confidentiality (SC): None (N)
Subsequent System Impact Integrity (SI): None (N)
Subsequent System Impact Availability (SA): None (N)
Exploit Maturity (E): POC (P)
Modified Attack Vector (MAV): Local (L)
Modified Attack Complexity (MAC): Low (L)
Modified Attack Requirement (MAT): None (N)
Modified Privileges Required (MPR): Low (L)
Modified User Interaction (MUI): None (N)
Modified Vulnerable System Impact Confidentiality (MVC): Low (L)
Modified Vulnerable System Impact Integrity (MVI): Low (L)
Modified Vulnerable System Impact Availability (MVA): Low (L)
Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
Modified Subsequent System Impact Integrity (MSI): Negligible (N)
Modified Subsequent System Impact Availability (MSA): Negligible (N)
Safety (S): Not Defined (X)
Automatable (AU): Not Defined (X)
Recovery (R): Not Defined (X)
Value Density (V): Not Defined (X)
Vulnerability Response Effort (RE): Not Defined (X)
Provider Urgency (U): Not Defined (X)
Confidentiality Req. (CR): Not Defined (X)
Integrity Req. (IR): Not Defined (X)
Availability Req. (AR): Not Defined (X)

created 6 days, 20 hours ago Activity log

Created suggestion 6 days, 20 hours ago

GNU LibreDWG Dwgread Utility decode.c decompress_R2004_section heap-based overflow

A vulnerability was identified in GNU LibreDWG up to 0.14. This affects the function decompress_R2004_section of the file src/decode.c of the component Dwgread Utility. The manipulation leads to heap-based buffer overflow. The attack must be carried out locally. The exploit is publicly available and might be used. The identifier of the patch is e501cb9926c1e9a07a0d1cc997f3e69e9be801c9. To fix this issue, it is recommended to deploy a patch.

References

VDB-365484 | GNU LibreDWG Dwgread Utility decode.c decompress_R2004_section heap-based overflow technical-descriptionvdb-entry
VDB-365484 | CTI Indicators (IOB, IOC, IOA) signaturepermissions-required
Submit #814259 | LibreDWG Project LibreDWG <= 0.14, main branch up to commit 6d6a339 (released 2026-04-10) Heap-based Buffer Overflow (CWE-122) third-party-advisory
https://github.com/LibreDWG/libredwg/issues/1243 issue-tracking
https://github.com/HackC0der/CVE-Repos/blob/main/libredwg/libredwg_6d6a339_heap… exploit
https://github.com/LibreDWG/libredwg/commit/e501cb9926c1e9a07a0d1cc997f3e69e9be… patch
https://www.gnu.org/ product

Affected products

LibreDWG

==0.14
==0.13
==0.3
==0.9
==0.6
==0.7
==0.1
==0.8
==0.12
==0.4
==0.2
==0.10
==0.5
==0.11

Matching in nixpkgs

pkgs.libredwg

Free implementation of the DWG file format

nixos-unstable 0.13.4
- nixpkgs-unstable 0.13.4
- nixos-unstable-small 0.13.4
nixos-25.11 0.13.3
- nixos-25.11-small 0.13.3
- nixpkgs-25.11-darwin 0.13.3

pkgs.python312Packages.libredwg

Free implementation of the DWG file format

nixos-25.11 0.13.3
- nixos-25.11-small 0.13.3
- nixpkgs-25.11-darwin 0.13.3

pkgs.python313Packages.libredwg

Free implementation of the DWG file format

nixos-unstable 0.13.4
- nixpkgs-unstable 0.13.4
- nixos-unstable-small 0.13.4
nixos-25.11 0.13.3
- nixos-25.11-small 0.13.3
- nixpkgs-25.11-darwin 0.13.3

pkgs.python314Packages.libredwg

Free implementation of the DWG file format

nixos-unstable 0.13.4
- nixpkgs-unstable 0.13.4
- nixos-unstable-small 0.13.4

Package maintainers

@thorstenweber83 Thorsten Weber <tw+nixpkgs@360vier.de>

Untriaged

Permalink CVE-2026-9503

1.9 LOW

CVSS version (CVSS): 4.0
Attack Vector (AV): Local (L)
Attack Complexity (AC): Low (L)
Attack Requirement (AT): None (N)
Privileges Required (PR): Low (L)
User Interaction (UI): None (N)
Vulnerable System Impact Confidentiality (VC): None (N)
Vulnerable System Impact Integrity (VI): None (N)
Vulnerable System Impact Availability (VA): Low (L)
Subsequent System Impact Confidentiality (SC): None (N)
Subsequent System Impact Integrity (SI): None (N)
Subsequent System Impact Availability (SA): None (N)
Exploit Maturity (E): POC (P)
Modified Attack Vector (MAV): Local (L)
Modified Attack Complexity (MAC): Low (L)
Modified Attack Requirement (MAT): None (N)
Modified Privileges Required (MPR): Low (L)
Modified User Interaction (MUI): None (N)
Modified Vulnerable System Impact Confidentiality (MVC): None (N)
Modified Vulnerable System Impact Integrity (MVI): None (N)
Modified Vulnerable System Impact Availability (MVA): Low (L)
Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
Modified Subsequent System Impact Integrity (MSI): Negligible (N)
Modified Subsequent System Impact Availability (MSA): Negligible (N)
Safety (S): Not Defined (X)
Automatable (AU): Not Defined (X)
Recovery (R): Not Defined (X)
Value Density (V): Not Defined (X)
Vulnerability Response Effort (RE): Not Defined (X)
Provider Urgency (U): Not Defined (X)
Confidentiality Req. (CR): Not Defined (X)
Integrity Req. (IR): Not Defined (X)
Availability Req. (AR): Not Defined (X)

created 6 days, 20 hours ago Activity log

Created suggestion 6 days, 20 hours ago

GNU LibreDWG DWG File decode.c dwg_next_entity null pointer dereference

A security flaw has been discovered in GNU LibreDWG up to 0.14. This impacts the function dwg_next_entity of the file src/decode.c of the component DWG File Handler. The manipulation results in null pointer dereference. The attack must be initiated from a local position. The exploit has been released to the public and may be used for attacks. The patch is identified as 8f03865f37f5d4ffd616fef802acc980be54d300. Upgrading the affected component is advised.

References

VDB-365485 | GNU LibreDWG DWG File decode.c dwg_next_entity null pointer dereference technical-descriptionvdb-entry
VDB-365485 | CTI Indicators (IOB, IOC, IOA) signaturepermissions-required
Submit #814260 | LibreDWG Project LibreDWG <= 0.14, main branch up to commit 6d6a339 (2026-04-10) NULL Pointer Dereference (CWE-476) third-party-advisory
https://github.com/LibreDWG/libredwg/issues/1245 issue-tracking
https://github.com/HackC0der/CVE-Repos/blob/main/libredwg/libredwg_6d6a339_heap… exploit
https://github.com/LibreDWG/libredwg/commit/8f03865f37f5d4ffd616fef802acc980be5… patch
https://www.gnu.org/ product

Affected products

LibreDWG

==0.14
==0.9
==0.3
==0.13
==0.6
==0.7
==0.1
==0.8
==0.12
==0.4
==0.2
==0.10
==0.5
==0.11

Matching in nixpkgs

pkgs.libredwg

Free implementation of the DWG file format

nixos-unstable 0.13.4
- nixpkgs-unstable 0.13.4
- nixos-unstable-small 0.13.4
nixos-25.11 0.13.3
- nixos-25.11-small 0.13.3
- nixpkgs-25.11-darwin 0.13.3

pkgs.python312Packages.libredwg

Free implementation of the DWG file format

nixos-25.11 0.13.3
- nixos-25.11-small 0.13.3
- nixpkgs-25.11-darwin 0.13.3

pkgs.python313Packages.libredwg

Free implementation of the DWG file format

nixos-unstable 0.13.4
- nixpkgs-unstable 0.13.4
- nixos-unstable-small 0.13.4
nixos-25.11 0.13.3
- nixos-25.11-small 0.13.3
- nixpkgs-25.11-darwin 0.13.3

pkgs.python314Packages.libredwg

Free implementation of the DWG file format

nixos-unstable 0.13.4
- nixpkgs-unstable 0.13.4
- nixos-unstable-small 0.13.4

Package maintainers

@thorstenweber83 Thorsten Weber <tw+nixpkgs@360vier.de>

Untriaged

Permalink CVE-2026-9500

1.9 LOW

CVSS version (CVSS): 4.0
Attack Vector (AV): Local (L)
Attack Complexity (AC): Low (L)
Attack Requirement (AT): None (N)
Privileges Required (PR): Low (L)
User Interaction (UI): None (N)
Vulnerable System Impact Confidentiality (VC): Low (L)
Vulnerable System Impact Integrity (VI): Low (L)
Vulnerable System Impact Availability (VA): Low (L)
Subsequent System Impact Confidentiality (SC): None (N)
Subsequent System Impact Integrity (SI): None (N)
Subsequent System Impact Availability (SA): None (N)
Exploit Maturity (E): POC (P)
Modified Attack Vector (MAV): Local (L)
Modified Attack Complexity (MAC): Low (L)
Modified Attack Requirement (MAT): None (N)
Modified Privileges Required (MPR): Low (L)
Modified User Interaction (MUI): None (N)
Modified Vulnerable System Impact Confidentiality (MVC): Low (L)
Modified Vulnerable System Impact Integrity (MVI): Low (L)
Modified Vulnerable System Impact Availability (MVA): Low (L)
Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
Modified Subsequent System Impact Integrity (MSI): Negligible (N)
Modified Subsequent System Impact Availability (MSA): Negligible (N)
Safety (S): Not Defined (X)
Automatable (AU): Not Defined (X)
Recovery (R): Not Defined (X)
Value Density (V): Not Defined (X)
Vulnerability Response Effort (RE): Not Defined (X)
Provider Urgency (U): Not Defined (X)
Confidentiality Req. (CR): Not Defined (X)
Integrity Req. (IR): Not Defined (X)
Availability Req. (AR): Not Defined (X)

created 6 days, 20 hours ago Activity log

Created suggestion 6 days, 20 hours ago

GNU LibreDWG Dwgread Utility decode.c read_2004_compressed_section heap-based overflow

A vulnerability was found in GNU LibreDWG up to 0.14. The affected element is the function read_2004_compressed_section of the file src/decode.c of the component Dwgread Utility. Performing a manipulation results in heap-based buffer overflow. The attack is only possible with local access. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet.

References

VDB-365482 | GNU LibreDWG Dwgread Utility decode.c read_2004_compressed_section heap-based overflow technical-descriptionvdb-entry
VDB-365482 | CTI Indicators (IOB, IOC, IOA) signaturepermissions-required
Submit #814248 | LibreDWG Project LibreDWG <= 0.14, main branch up to commit 6d6a339 (released 2026-04-10) Heap-based Buffer Overflow (CWE-122) third-party-advisory
https://github.com/LibreDWG/libredwg/issues/1241 issue-tracking
https://github.com/HackC0der/CVE-Repos/blob/main/libredwg/libredwg_6d6a339_heap… exploit
https://www.gnu.org/ product

Affected products

LibreDWG

==0.14
==0.9
==0.3
==0.13
==0.6
==0.7
==0.1
==0.8
==0.12
==0.4
==0.2
==0.10
==0.5
==0.11

Matching in nixpkgs

pkgs.libredwg

Free implementation of the DWG file format

nixos-unstable 0.13.4
- nixpkgs-unstable 0.13.4
- nixos-unstable-small 0.13.4
nixos-25.11 0.13.3
- nixos-25.11-small 0.13.3
- nixpkgs-25.11-darwin 0.13.3

pkgs.python312Packages.libredwg

Free implementation of the DWG file format

nixos-25.11 0.13.3
- nixos-25.11-small 0.13.3
- nixpkgs-25.11-darwin 0.13.3

pkgs.python313Packages.libredwg

Free implementation of the DWG file format

nixos-unstable 0.13.4
- nixpkgs-unstable 0.13.4
- nixos-unstable-small 0.13.4
nixos-25.11 0.13.3
- nixos-25.11-small 0.13.3
- nixpkgs-25.11-darwin 0.13.3

pkgs.python314Packages.libredwg

Free implementation of the DWG file format

nixos-unstable 0.13.4
- nixpkgs-unstable 0.13.4
- nixos-unstable-small 0.13.4

Package maintainers

@thorstenweber83 Thorsten Weber <tw+nixpkgs@360vier.de>

Untriaged

Permalink CVE-2026-9504

1.9 LOW

CVSS version (CVSS): 4.0
Attack Vector (AV): Local (L)
Attack Complexity (AC): Low (L)
Attack Requirement (AT): None (N)
Privileges Required (PR): Low (L)
User Interaction (UI): None (N)
Vulnerable System Impact Confidentiality (VC): Low (L)
Vulnerable System Impact Integrity (VI): None (N)
Vulnerable System Impact Availability (VA): None (N)
Subsequent System Impact Confidentiality (SC): None (N)
Subsequent System Impact Integrity (SI): None (N)
Subsequent System Impact Availability (SA): None (N)
Exploit Maturity (E): POC (P)
Modified Attack Vector (MAV): Local (L)
Modified Attack Complexity (MAC): Low (L)
Modified Attack Requirement (MAT): None (N)
Modified Privileges Required (MPR): Low (L)
Modified User Interaction (MUI): None (N)
Modified Vulnerable System Impact Confidentiality (MVC): Low (L)
Modified Vulnerable System Impact Integrity (MVI): None (N)
Modified Vulnerable System Impact Availability (MVA): None (N)
Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
Modified Subsequent System Impact Integrity (MSI): Negligible (N)
Modified Subsequent System Impact Availability (MSA): Negligible (N)
Safety (S): Not Defined (X)
Automatable (AU): Not Defined (X)
Recovery (R): Not Defined (X)
Value Density (V): Not Defined (X)
Vulnerability Response Effort (RE): Not Defined (X)
Provider Urgency (U): Not Defined (X)
Confidentiality Req. (CR): Not Defined (X)
Integrity Req. (IR): Not Defined (X)
Availability Req. (AR): Not Defined (X)

created 6 days, 20 hours ago Activity log

Created suggestion 6 days, 20 hours ago

GNU LibreDWG Dwggrep Utility dwggrep.c bit_convert_TU out-of-bounds

A weakness has been identified in GNU LibreDWG up to 0.14. Affected is the function bit_convert_TU of the file programs/dwggrep.c of the component Dwggrep Utility. This manipulation causes out-of-bounds read. The attack needs to be launched locally. The exploit has been made available to the public and could be used for attacks. Patch name: be996bf2178a40e98720f18c2414815d244413db. Applying a patch is the recommended action to fix this issue.

References

VDB-365486 | GNU LibreDWG Dwggrep Utility dwggrep.c bit_convert_TU out-of-bounds technical-descriptionvdb-entry
VDB-365486 | CTI Indicators (IOB, IOC, IOA) signaturepermissions-required
Submit #814261 | LibreDWG Project LibreDWG <= 0.14, main branch up to commit 6d6a339 (2026-04-10) Out-of-bounds Read (CWE-125) third-party-advisory
https://github.com/LibreDWG/libredwg/issues/1246 issue-tracking
https://github.com/HackC0der/CVE-Repos/blob/main/libredwg/libredwg_6d6a339_heap… exploit
https://github.com/LibreDWG/libredwg/commit/be996bf2178a40e98720f18c2414815d244… patch
https://www.gnu.org/ product

Affected products

LibreDWG

==0.14
==0.9
==0.3
==0.13
==0.6
==0.7
==0.1
==0.8
==0.12
==0.4
==0.2
==0.10
==0.5
==0.11

Matching in nixpkgs

pkgs.libredwg

Free implementation of the DWG file format

nixos-unstable 0.13.4
- nixpkgs-unstable 0.13.4
- nixos-unstable-small 0.13.4
nixos-25.11 0.13.3
- nixos-25.11-small 0.13.3
- nixpkgs-25.11-darwin 0.13.3

pkgs.python312Packages.libredwg

Free implementation of the DWG file format

nixos-25.11 0.13.3
- nixos-25.11-small 0.13.3
- nixpkgs-25.11-darwin 0.13.3

pkgs.python313Packages.libredwg

Free implementation of the DWG file format

nixos-unstable 0.13.4
- nixpkgs-unstable 0.13.4
- nixos-unstable-small 0.13.4
nixos-25.11 0.13.3
- nixos-25.11-small 0.13.3
- nixpkgs-25.11-darwin 0.13.3

pkgs.python314Packages.libredwg

Free implementation of the DWG file format

nixos-unstable 0.13.4
- nixpkgs-unstable 0.13.4
- nixos-unstable-small 0.13.4

Package maintainers

@thorstenweber83 Thorsten Weber <tw+nixpkgs@360vier.de>

Suggestions search

References

Affected products

Matching in nixpkgs

pkgs.libredwg

pkgs.python312Packages.libredwg

pkgs.python313Packages.libredwg

pkgs.python314Packages.libredwg

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.libredwg

pkgs.python312Packages.libredwg

pkgs.python313Packages.libredwg

pkgs.python314Packages.libredwg

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.libredwg

pkgs.python312Packages.libredwg

pkgs.python313Packages.libredwg

pkgs.python314Packages.libredwg

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.libredwg

pkgs.python312Packages.libredwg

pkgs.python313Packages.libredwg

pkgs.python314Packages.libredwg

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.libredwg

pkgs.python312Packages.libredwg

pkgs.python313Packages.libredwg

pkgs.python314Packages.libredwg

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.libredwg

pkgs.python312Packages.libredwg

pkgs.python313Packages.libredwg

pkgs.python314Packages.libredwg

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.libredwg

pkgs.python312Packages.libredwg

pkgs.python313Packages.libredwg

pkgs.python314Packages.libredwg

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.libredwg

pkgs.python312Packages.libredwg

pkgs.python313Packages.libredwg

pkgs.python314Packages.libredwg

Package maintainers