Nixpkgs security tracker

Permalink CVE-2026-9501

1.9 LOW

CVSS version (CVSS): 4.0
Attack Vector (AV): Local (L)
Attack Complexity (AC): Low (L)
Attack Requirement (AT): None (N)
Privileges Required (PR): Low (L)
User Interaction (UI): None (N)
Vulnerable System Impact Confidentiality (VC): None (N)
Vulnerable System Impact Integrity (VI): None (N)
Vulnerable System Impact Availability (VA): Low (L)
Subsequent System Impact Confidentiality (SC): None (N)
Subsequent System Impact Integrity (SI): None (N)
Subsequent System Impact Availability (SA): None (N)
Exploit Maturity (E): POC (P)
Modified Attack Vector (MAV): Local (L)
Modified Attack Complexity (MAC): Low (L)
Modified Attack Requirement (MAT): None (N)
Modified Privileges Required (MPR): Low (L)
Modified User Interaction (MUI): None (N)
Modified Vulnerable System Impact Confidentiality (MVC): None (N)
Modified Vulnerable System Impact Integrity (MVI): None (N)
Modified Vulnerable System Impact Availability (MVA): Low (L)
Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
Modified Subsequent System Impact Integrity (MSI): Negligible (N)
Modified Subsequent System Impact Availability (MSA): Negligible (N)
Safety (S): Not Defined (X)
Automatable (AU): Not Defined (X)
Recovery (R): Not Defined (X)
Value Density (V): Not Defined (X)
Vulnerability Response Effort (RE): Not Defined (X)
Provider Urgency (U): Not Defined (X)
Confidentiality Req. (CR): Not Defined (X)
Integrity Req. (IR): Not Defined (X)
Availability Req. (AR): Not Defined (X)

updated 6 hours ago by @LeSuisse Activity log

Created suggestion 12 hours ago
@LeSuisse ignored
3 references
6 hours ago
@LeSuisse accepted 6 hours ago
@LeSuisse published on GitHub 6 hours ago

GNU LibreDWG Dwgread Utility decode.c decompress_R2004_section assertion

A vulnerability was determined in GNU LibreDWG up to 0.14. The impacted element is the function decompress_R2004_section of the file src/decode.c of the component Dwgread Utility. Executing a manipulation can lead to reachable assertion. The attack is restricted to local execution. The exploit has been publicly disclosed and may be utilized. This patch is called e501cb9926c1e9a07a0d1cc997f3e69e9be801c9. A patch should be applied to remediate this issue.

References

VDB-365483 | GNU LibreDWG Dwgread Utility decode.c decompress_R2004_section assertion vdb-entrytechnical-description
https://github.com/LibreDWG/libredwg/issues/1242 issue-tracking
https://github.com/HackC0der/CVE-Repos/blob/main/libredwg/libredwg_6d6a339_asse… exploit
https://github.com/LibreDWG/libredwg/commit/e501cb9926c1e9a07a0d1cc997f3e69e9be… patch

Ignored references (3)

https://www.gnu.org/ product
VDB-365483 | CTI Indicators (IOB, IOC, IOA) signaturepermissions-required
Submit #814250 | LibreDWG Project LibreDWG <= 0.14, main branch up to commit 6d6a339 (released 2026-04-10) Reachable Assertion (CWE-617) third-party-advisory

Affected products

LibreDWG

==0.14
==0.9
==0.7
==0.3
==0.1
==0.4
==0.10
==0.5
==0.6
==0.2
==0.11
==0.12
==0.13
==0.8

Matching in nixpkgs

pkgs.libredwg

Free implementation of the DWG file format

nixos-unstable 0.13.4
- nixpkgs-unstable 0.13.4
- nixos-unstable-small 0.13.4
nixos-25.11 0.13.3
- nixos-25.11-small 0.13.3
- nixpkgs-25.11-darwin 0.13.3

pkgs.python312Packages.libredwg

Free implementation of the DWG file format

nixos-25.11 0.13.3
- nixos-25.11-small 0.13.3
- nixpkgs-25.11-darwin 0.13.3

pkgs.python313Packages.libredwg

Free implementation of the DWG file format

nixos-unstable 0.13.4
- nixpkgs-unstable 0.13.4
- nixos-unstable-small 0.13.4
nixos-25.11 0.13.3
- nixos-25.11-small 0.13.3
- nixpkgs-25.11-darwin 0.13.3

pkgs.python314Packages.libredwg

Free implementation of the DWG file format

nixos-unstable 0.13.4
- nixpkgs-unstable 0.13.4
- nixos-unstable-small 0.13.4

Package maintainers

@thorstenweber83 Thorsten Weber <tw+nixpkgs@360vier.de>

Permalink CVE-2026-9500

1.9 LOW

CVSS version (CVSS): 4.0
Attack Vector (AV): Local (L)
Attack Complexity (AC): Low (L)
Attack Requirement (AT): None (N)
Privileges Required (PR): Low (L)
User Interaction (UI): None (N)
Vulnerable System Impact Confidentiality (VC): Low (L)
Vulnerable System Impact Integrity (VI): Low (L)
Vulnerable System Impact Availability (VA): Low (L)
Subsequent System Impact Confidentiality (SC): None (N)
Subsequent System Impact Integrity (SI): None (N)
Subsequent System Impact Availability (SA): None (N)
Exploit Maturity (E): POC (P)
Modified Attack Vector (MAV): Local (L)
Modified Attack Complexity (MAC): Low (L)
Modified Attack Requirement (MAT): None (N)
Modified Privileges Required (MPR): Low (L)
Modified User Interaction (MUI): None (N)
Modified Vulnerable System Impact Confidentiality (MVC): Low (L)
Modified Vulnerable System Impact Integrity (MVI): Low (L)
Modified Vulnerable System Impact Availability (MVA): Low (L)
Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
Modified Subsequent System Impact Integrity (MSI): Negligible (N)
Modified Subsequent System Impact Availability (MSA): Negligible (N)
Safety (S): Not Defined (X)
Automatable (AU): Not Defined (X)
Recovery (R): Not Defined (X)
Value Density (V): Not Defined (X)
Vulnerability Response Effort (RE): Not Defined (X)
Provider Urgency (U): Not Defined (X)
Confidentiality Req. (CR): Not Defined (X)
Integrity Req. (IR): Not Defined (X)
Availability Req. (AR): Not Defined (X)

updated 6 hours ago by @LeSuisse Activity log

Created suggestion 12 hours ago
@LeSuisse ignored
3 references
6 hours ago
@LeSuisse accepted 6 hours ago
@LeSuisse published on GitHub 6 hours ago

GNU LibreDWG Dwgread Utility decode.c read_2004_compressed_section heap-based overflow

A vulnerability was found in GNU LibreDWG up to 0.14. The affected element is the function read_2004_compressed_section of the file src/decode.c of the component Dwgread Utility. Performing a manipulation results in heap-based buffer overflow. The attack is only possible with local access. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet.

References

VDB-365482 | GNU LibreDWG Dwgread Utility decode.c read_2004_compressed_section heap-based overflow vdb-entrytechnical-description
https://github.com/LibreDWG/libredwg/issues/1241 issue-tracking
https://github.com/HackC0der/CVE-Repos/blob/main/libredwg/libredwg_6d6a339_heap… exploit

Ignored references (3)

https://www.gnu.org/ product
Submit #814248 | LibreDWG Project LibreDWG <= 0.14, main branch up to commit 6d6a339 (released 2026-04-10) Heap-based Buffer Overflow (CWE-122) third-party-advisory
VDB-365482 | CTI Indicators (IOB, IOC, IOA) signaturepermissions-required

Affected products

LibreDWG

==0.14
==0.9
==0.7
==0.3
==0.1
==0.4
==0.10
==0.5
==0.6
==0.2
==0.11
==0.12
==0.13
==0.8

Matching in nixpkgs

pkgs.libredwg

Free implementation of the DWG file format

nixos-unstable 0.13.4
- nixpkgs-unstable 0.13.4
- nixos-unstable-small 0.13.4
nixos-25.11 0.13.3
- nixos-25.11-small 0.13.3
- nixpkgs-25.11-darwin 0.13.3

pkgs.python312Packages.libredwg

Free implementation of the DWG file format

nixos-25.11 0.13.3
- nixos-25.11-small 0.13.3
- nixpkgs-25.11-darwin 0.13.3

pkgs.python313Packages.libredwg

Free implementation of the DWG file format

nixos-unstable 0.13.4
- nixpkgs-unstable 0.13.4
- nixos-unstable-small 0.13.4
nixos-25.11 0.13.3
- nixos-25.11-small 0.13.3
- nixpkgs-25.11-darwin 0.13.3

pkgs.python314Packages.libredwg

Free implementation of the DWG file format

nixos-unstable 0.13.4
- nixpkgs-unstable 0.13.4
- nixos-unstable-small 0.13.4

Package maintainers

@thorstenweber83 Thorsten Weber <tw+nixpkgs@360vier.de>

Permalink CVE-2026-9504

1.9 LOW

CVSS version (CVSS): 4.0
Attack Vector (AV): Local (L)
Attack Complexity (AC): Low (L)
Attack Requirement (AT): None (N)
Privileges Required (PR): Low (L)
User Interaction (UI): None (N)
Vulnerable System Impact Confidentiality (VC): Low (L)
Vulnerable System Impact Integrity (VI): None (N)
Vulnerable System Impact Availability (VA): None (N)
Subsequent System Impact Confidentiality (SC): None (N)
Subsequent System Impact Integrity (SI): None (N)
Subsequent System Impact Availability (SA): None (N)
Exploit Maturity (E): POC (P)
Modified Attack Vector (MAV): Local (L)
Modified Attack Complexity (MAC): Low (L)
Modified Attack Requirement (MAT): None (N)
Modified Privileges Required (MPR): Low (L)
Modified User Interaction (MUI): None (N)
Modified Vulnerable System Impact Confidentiality (MVC): Low (L)
Modified Vulnerable System Impact Integrity (MVI): None (N)
Modified Vulnerable System Impact Availability (MVA): None (N)
Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
Modified Subsequent System Impact Integrity (MSI): Negligible (N)
Modified Subsequent System Impact Availability (MSA): Negligible (N)
Safety (S): Not Defined (X)
Automatable (AU): Not Defined (X)
Recovery (R): Not Defined (X)
Value Density (V): Not Defined (X)
Vulnerability Response Effort (RE): Not Defined (X)
Provider Urgency (U): Not Defined (X)
Confidentiality Req. (CR): Not Defined (X)
Integrity Req. (IR): Not Defined (X)
Availability Req. (AR): Not Defined (X)

updated 6 hours ago by @LeSuisse Activity log

Created suggestion 12 hours ago
@LeSuisse ignored
3 references
6 hours ago
@LeSuisse accepted 6 hours ago
@LeSuisse published on GitHub 6 hours ago

GNU LibreDWG Dwggrep Utility dwggrep.c bit_convert_TU out-of-bounds

A weakness has been identified in GNU LibreDWG up to 0.14. Affected is the function bit_convert_TU of the file programs/dwggrep.c of the component Dwggrep Utility. This manipulation causes out-of-bounds read. The attack needs to be launched locally. The exploit has been made available to the public and could be used for attacks. Patch name: be996bf2178a40e98720f18c2414815d244413db. Applying a patch is the recommended action to fix this issue.

References

VDB-365486 | GNU LibreDWG Dwggrep Utility dwggrep.c bit_convert_TU out-of-bounds vdb-entrytechnical-description
https://github.com/LibreDWG/libredwg/issues/1246 issue-tracking
https://github.com/HackC0der/CVE-Repos/blob/main/libredwg/libredwg_6d6a339_heap… exploit
https://github.com/LibreDWG/libredwg/commit/be996bf2178a40e98720f18c2414815d244… patch

Ignored references (3)

Submit #814261 | LibreDWG Project LibreDWG <= 0.14, main branch up to commit 6d6a339 (2026-04-10) Out-of-bounds Read (CWE-125) third-party-advisory
VDB-365486 | CTI Indicators (IOB, IOC, IOA) signaturepermissions-required
https://www.gnu.org/ product

Affected products

LibreDWG

==0.14
==0.9
==0.7
==0.3
==0.1
==0.4
==0.2
==0.10
==0.5
==0.6
==0.11
==0.12
==0.13
==0.8

Matching in nixpkgs

pkgs.libredwg

Free implementation of the DWG file format

nixos-unstable 0.13.4
- nixpkgs-unstable 0.13.4
- nixos-unstable-small 0.13.4
nixos-25.11 0.13.3
- nixos-25.11-small 0.13.3
- nixpkgs-25.11-darwin 0.13.3

pkgs.python312Packages.libredwg

Free implementation of the DWG file format

nixos-25.11 0.13.3
- nixos-25.11-small 0.13.3
- nixpkgs-25.11-darwin 0.13.3

pkgs.python313Packages.libredwg

Free implementation of the DWG file format

nixos-unstable 0.13.4
- nixpkgs-unstable 0.13.4
- nixos-unstable-small 0.13.4
nixos-25.11 0.13.3
- nixos-25.11-small 0.13.3
- nixpkgs-25.11-darwin 0.13.3

pkgs.python314Packages.libredwg

Free implementation of the DWG file format

nixos-unstable 0.13.4
- nixpkgs-unstable 0.13.4
- nixos-unstable-small 0.13.4

Package maintainers

@thorstenweber83 Thorsten Weber <tw+nixpkgs@360vier.de>

Permalink CVE-2026-9503

1.9 LOW

CVSS version (CVSS): 4.0
Attack Vector (AV): Local (L)
Attack Complexity (AC): Low (L)
Attack Requirement (AT): None (N)
Privileges Required (PR): Low (L)
User Interaction (UI): None (N)
Vulnerable System Impact Confidentiality (VC): None (N)
Vulnerable System Impact Integrity (VI): None (N)
Vulnerable System Impact Availability (VA): Low (L)
Subsequent System Impact Confidentiality (SC): None (N)
Subsequent System Impact Integrity (SI): None (N)
Subsequent System Impact Availability (SA): None (N)
Exploit Maturity (E): POC (P)
Modified Attack Vector (MAV): Local (L)
Modified Attack Complexity (MAC): Low (L)
Modified Attack Requirement (MAT): None (N)
Modified Privileges Required (MPR): Low (L)
Modified User Interaction (MUI): None (N)
Modified Vulnerable System Impact Confidentiality (MVC): None (N)
Modified Vulnerable System Impact Integrity (MVI): None (N)
Modified Vulnerable System Impact Availability (MVA): Low (L)
Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
Modified Subsequent System Impact Integrity (MSI): Negligible (N)
Modified Subsequent System Impact Availability (MSA): Negligible (N)
Safety (S): Not Defined (X)
Automatable (AU): Not Defined (X)
Recovery (R): Not Defined (X)
Value Density (V): Not Defined (X)
Vulnerability Response Effort (RE): Not Defined (X)
Provider Urgency (U): Not Defined (X)
Confidentiality Req. (CR): Not Defined (X)
Integrity Req. (IR): Not Defined (X)
Availability Req. (AR): Not Defined (X)

updated 6 hours ago by @LeSuisse Activity log

Created suggestion 12 hours ago
@LeSuisse ignored
3 references
6 hours ago
@LeSuisse accepted 6 hours ago
@LeSuisse published on GitHub 6 hours ago

GNU LibreDWG DWG File decode.c dwg_next_entity null pointer dereference

A security flaw has been discovered in GNU LibreDWG up to 0.14. This impacts the function dwg_next_entity of the file src/decode.c of the component DWG File Handler. The manipulation results in null pointer dereference. The attack must be initiated from a local position. The exploit has been released to the public and may be used for attacks. The patch is identified as 8f03865f37f5d4ffd616fef802acc980be54d300. Upgrading the affected component is advised.

References

VDB-365485 | GNU LibreDWG DWG File decode.c dwg_next_entity null pointer dereference vdb-entrytechnical-description
https://github.com/LibreDWG/libredwg/issues/1245 issue-tracking
https://github.com/HackC0der/CVE-Repos/blob/main/libredwg/libredwg_6d6a339_heap… exploit
https://github.com/LibreDWG/libredwg/commit/8f03865f37f5d4ffd616fef802acc980be5… patch

Ignored references (3)

Submit #814260 | LibreDWG Project LibreDWG <= 0.14, main branch up to commit 6d6a339 (2026-04-10) NULL Pointer Dereference (CWE-476) third-party-advisory
https://www.gnu.org/ product
VDB-365485 | CTI Indicators (IOB, IOC, IOA) signaturepermissions-required

Affected products

LibreDWG

==0.14
==0.9
==0.7
==0.3
==0.1
==0.4
==0.10
==0.5
==0.6
==0.2
==0.11
==0.12
==0.13
==0.8

Matching in nixpkgs

pkgs.libredwg

Free implementation of the DWG file format

nixos-unstable 0.13.4
- nixpkgs-unstable 0.13.4
- nixos-unstable-small 0.13.4
nixos-25.11 0.13.3
- nixos-25.11-small 0.13.3
- nixpkgs-25.11-darwin 0.13.3

pkgs.python312Packages.libredwg

Free implementation of the DWG file format

nixos-25.11 0.13.3
- nixos-25.11-small 0.13.3
- nixpkgs-25.11-darwin 0.13.3

pkgs.python313Packages.libredwg

Free implementation of the DWG file format

nixos-unstable 0.13.4
- nixpkgs-unstable 0.13.4
- nixos-unstable-small 0.13.4
nixos-25.11 0.13.3
- nixos-25.11-small 0.13.3
- nixpkgs-25.11-darwin 0.13.3

pkgs.python314Packages.libredwg

Free implementation of the DWG file format

nixos-unstable 0.13.4
- nixpkgs-unstable 0.13.4
- nixos-unstable-small 0.13.4

Package maintainers

@thorstenweber83 Thorsten Weber <tw+nixpkgs@360vier.de>

Permalink CVE-2026-9502

1.9 LOW

CVSS version (CVSS): 4.0
Attack Vector (AV): Local (L)
Attack Complexity (AC): Low (L)
Attack Requirement (AT): None (N)
Privileges Required (PR): Low (L)
User Interaction (UI): None (N)
Vulnerable System Impact Confidentiality (VC): Low (L)
Vulnerable System Impact Integrity (VI): Low (L)
Vulnerable System Impact Availability (VA): Low (L)
Subsequent System Impact Confidentiality (SC): None (N)
Subsequent System Impact Integrity (SI): None (N)
Subsequent System Impact Availability (SA): None (N)
Exploit Maturity (E): POC (P)
Modified Attack Vector (MAV): Local (L)
Modified Attack Complexity (MAC): Low (L)
Modified Attack Requirement (MAT): None (N)
Modified Privileges Required (MPR): Low (L)
Modified User Interaction (MUI): None (N)
Modified Vulnerable System Impact Confidentiality (MVC): Low (L)
Modified Vulnerable System Impact Integrity (MVI): Low (L)
Modified Vulnerable System Impact Availability (MVA): Low (L)
Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
Modified Subsequent System Impact Integrity (MSI): Negligible (N)
Modified Subsequent System Impact Availability (MSA): Negligible (N)
Safety (S): Not Defined (X)
Automatable (AU): Not Defined (X)
Recovery (R): Not Defined (X)
Value Density (V): Not Defined (X)
Vulnerability Response Effort (RE): Not Defined (X)
Provider Urgency (U): Not Defined (X)
Confidentiality Req. (CR): Not Defined (X)
Integrity Req. (IR): Not Defined (X)
Availability Req. (AR): Not Defined (X)

updated 6 hours ago by @LeSuisse Activity log

Created suggestion 12 hours ago
@LeSuisse ignored
3 references
6 hours ago
@LeSuisse accepted 6 hours ago
@LeSuisse published on GitHub 6 hours ago

GNU LibreDWG Dwgread Utility decode.c decompress_R2004_section heap-based overflow

A vulnerability was identified in GNU LibreDWG up to 0.14. This affects the function decompress_R2004_section of the file src/decode.c of the component Dwgread Utility. The manipulation leads to heap-based buffer overflow. The attack must be carried out locally. The exploit is publicly available and might be used. The identifier of the patch is e501cb9926c1e9a07a0d1cc997f3e69e9be801c9. To fix this issue, it is recommended to deploy a patch.

References

VDB-365484 | GNU LibreDWG Dwgread Utility decode.c decompress_R2004_section heap-based overflow vdb-entrytechnical-description
https://github.com/LibreDWG/libredwg/issues/1243 issue-tracking
https://github.com/HackC0der/CVE-Repos/blob/main/libredwg/libredwg_6d6a339_heap… exploit
https://github.com/LibreDWG/libredwg/commit/e501cb9926c1e9a07a0d1cc997f3e69e9be… patch

Ignored references (3)

https://www.gnu.org/ product
Submit #814259 | LibreDWG Project LibreDWG <= 0.14, main branch up to commit 6d6a339 (released 2026-04-10) Heap-based Buffer Overflow (CWE-122) third-party-advisory
VDB-365484 | CTI Indicators (IOB, IOC, IOA) signaturepermissions-required

Affected products

LibreDWG

==0.14
==0.9
==0.7
==0.3
==0.1
==0.4
==0.10
==0.5
==0.6
==0.2
==0.11
==0.12
==0.13
==0.8

Matching in nixpkgs

pkgs.libredwg

Free implementation of the DWG file format

nixos-unstable 0.13.4
- nixpkgs-unstable 0.13.4
- nixos-unstable-small 0.13.4
nixos-25.11 0.13.3
- nixos-25.11-small 0.13.3
- nixpkgs-25.11-darwin 0.13.3

pkgs.python312Packages.libredwg

Free implementation of the DWG file format

nixos-25.11 0.13.3
- nixos-25.11-small 0.13.3
- nixpkgs-25.11-darwin 0.13.3

pkgs.python313Packages.libredwg

Free implementation of the DWG file format

nixos-unstable 0.13.4
- nixpkgs-unstable 0.13.4
- nixos-unstable-small 0.13.4
nixos-25.11 0.13.3
- nixos-25.11-small 0.13.3
- nixpkgs-25.11-darwin 0.13.3

pkgs.python314Packages.libredwg

Free implementation of the DWG file format

nixos-unstable 0.13.4
- nixpkgs-unstable 0.13.4
- nixos-unstable-small 0.13.4

Package maintainers

@thorstenweber83 Thorsten Weber <tw+nixpkgs@360vier.de>

Suggestions search

References

Affected products

Matching in nixpkgs

pkgs.libredwg

pkgs.python312Packages.libredwg

pkgs.python313Packages.libredwg

pkgs.python314Packages.libredwg

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.libredwg

pkgs.python312Packages.libredwg

pkgs.python313Packages.libredwg

pkgs.python314Packages.libredwg

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.libredwg

pkgs.python312Packages.libredwg

pkgs.python313Packages.libredwg

pkgs.python314Packages.libredwg

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.libredwg

pkgs.python312Packages.libredwg

pkgs.python313Packages.libredwg

pkgs.python314Packages.libredwg

Package maintainers

References

Affected products

Matching in nixpkgs

pkgs.libredwg

pkgs.python312Packages.libredwg

pkgs.python313Packages.libredwg

pkgs.python314Packages.libredwg

Package maintainers