Login Sign Up

CVE-2019-20914

9.8 CRITICAL
Denial of Service

📋 TL;DR

This vulnerability in GNU LibreDWG is a NULL pointer dereference that can cause application crashes or potentially allow arbitrary code execution when processing malicious DWG files. It affects all systems running vulnerable versions of LibreDWG that process untrusted DWG files. The high CVSS score indicates critical severity.

💻 Affected Systems

Products:
  • GNU LibreDWG
Versions: All versions through 0.9.3
Operating Systems: Linux, Windows, macOS, Unix-like systems
Default Config Vulnerable: ⚠️ Yes
Notes: Any application using LibreDWG to process DWG files is vulnerable. The vulnerability is triggered when encoding entity handle data.

📦 What is this software?

Libredwg by Gnu

View all CVEs affecting Libredwg →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise if the NULL pointer dereference can be weaponized for memory corruption attacks.

🟠

Likely Case

Application crash (denial of service) when processing specially crafted DWG files, potentially causing data loss or service disruption.

🟢

If Mitigated

Limited impact with proper input validation and sandboxing, likely resulting only in application crashes.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires crafting a malicious DWG file. While the NULL pointer dereference could lead to crashes, weaponization for RCE would require additional memory corruption techniques.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.9.4 and later

Vendor Advisory: https://github.com/LibreDWG/libredwg/commit/3b837bb72d6b9ab4d563faa211f90efc257e3c96

Restart Required: Yes

Instructions:

1. Update LibreDWG to version 0.9.4 or later. 2. Recompile any applications using LibreDWG. 3. Restart affected services.

🔧 Temporary Workarounds

Input validation and sanitization

all

Implement strict validation of DWG files before processing with LibreDWG

Sandboxing

linux

Run LibreDWG in a sandboxed environment with limited privileges

firejail --net=none --private /path/to/libredwg

🧯 If You Can't Patch

  • Implement network segmentation to isolate systems running vulnerable LibreDWG versions
  • Deploy application allowlisting to prevent execution of unauthorized binaries

🔍 How to Verify

Check if Vulnerable:

Check LibreDWG version: libredwg --version. If version is 0.9.3 or earlier, system is vulnerable.

Check Version:

libredwg --version

Verify Fix Applied:

After updating, verify version is 0.9.4 or later and test with known malicious DWG files if available.

📡 Detection & Monitoring

Log Indicators:

  • Application crashes of LibreDWG or dependent applications
  • Segmentation fault errors in system logs

Network Indicators:

  • Unusual file transfers of DWG files to vulnerable systems

SIEM Query:

source="*syslog*" AND "segmentation fault" AND "libredwg"

📊 Metadata

CVE ID: CVE-2019-20914
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-476
Published: July 16, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-20914, you might also want to check these:

CVE-2022-36648 10.0

This CVE describes a vulnerability in QEMU's hardware emulation where a malformed program executed i...

Same vulnerability type (CWE-476)
CVE-2022-30592 9.8

This vulnerability in LiteSpeed QUIC (LSQUIC) before version 3.1.0 involves improper handling of MAX...

Same vulnerability type (CWE-476)
CVE-2023-47003 9.8

A NULL pointer dereference vulnerability in RedisGraph allows attackers to execute arbitrary code or...

Same vulnerability type (CWE-476)