Security advisories in Qt products

Qt Framework

CVE-2024-39936

HTTP2 vulnerability with non-matching TLS certificates

An issue was discovered in HTTP2 in Qt before 5.15.18, 6.x before 6.2.13, 6.3.x through 6.5.x before 6.5.7, and 6.6.x through 6.7.x before 6.7.3. Code to make security-relevant decisions about an established connection may execute too early, because the encrypted() signal has not yet been emitted and processed. Fixed in 5.15.19, 6.2.14, 6.5.8 and 6.7.4.

CVE-2024-36048

Predictable nonces in QtNetworkAuth

QAbstractOAuth in Qt Network Authorization in Qt before 5.15.17, 6.x before 6.2.13, 6.3.x through 6.5.x before 6.5.6, and 6.6.x through 6.7.x before 6.7.1 uses only the time to seed the PRNG, which may result in guessable values. Fixed in Qt 5.15.17, 6.2.14, 6.5.6, 6.7.1.

CVE-2024-33861

QStringConverter has an invalid pointer being passed as a callback which can allow modification of the stack

QStringConverter has an invalid pointer being passed as a callback which can allow modification of the stack. Qt itself is not vulnerable to remote attack however an application using QStringDecoder either directly or indirectly can be vulnerable. Qt does not automatically use any of those codecs, so this needs the application to implement something using QStringDecoder to be vulnerable. This affects Qt 6.5.0->6.5.5, 6.6.x and 6.7.0. Fixed in Qt 6.5.6 and 6.7.1.

CVE-2024-30161

Use-After-Free in Qt for WebAssembly’s implementation of QNetworkReply

In Qt 6.5.4, 6.5.5, and 6.6.2, QNetworkReply header data might be accessed via a dangling pointer in Qt for WebAssembly (wasm). Fixed in Qt 6.5.6 and 6.7.0.

CVE-2024-25580

OOB read in QKtxHandler

An issue was discovered in gui/util/qktxhandler.cpp in Qt before 5.15.17, 6.x before 6.2.12, 6.3.x through 6.5.x before 6.5.5, and 6.6.x before 6.6.2. A buffer overflow and application crash can occur via a crafted KTX image file. Fixed in Qt 5.15.18, 6.2.13, 6.5.6 and 6.7.0.

CVE-2023-51714

Ineffective integer overflow check in HPack implementation

An issue was discovered in the HTTP2 implementation in Qt before 5.15.17, 6.x before 6.2.11, 6.3.x through 6.5.x before 6.5.4, and 6.6.x before 6.6.2. network/access/http2/hpacktable.cpp has an incorrect HPack integer overflow check. Fixed in Qt 5.15.18, 6.2.12, 6.5.5 and 6.7.0.

CVE-2023-38197

QXMLStreamReader can freeze or get out of memory on recursive entity expansion, with DTD tokens in XML body

An issue was discovered in Qt before 5.15.15, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3. There are infinite loops in recursive entity expansion. Fixed in Qt 5.15.16, 6.2.11, and 6.5.4.

CVE-2023-45872

QML Image bad source crashes application instead of error status (QSvgHandler::parse)

An issue was discovered in Qt before 6.2.11 and 6.3.x through 6.6.x before 6.6.1. When a QML image refers to an image whose content is not known yet, there is an assumption that it is an SVG document, leading to a denial of service (application crash) if it is not actually an SVG document. Fixed in Qt 6.2.12 and 6.6.2.

CVE-2023-43114

Crash on corrupted font data

An issue was discovered in Qt before 5.15.16, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3 on Windows. When using the GDI font engine, if a corrupted font is loaded via QFontDatabase::addApplicationFont[FromData], then it can cause the application to crash because of missing length checks. Fixed in Qt 5.15.17, 6.2.11 and 6.5.4.

CVE-2023-32763

Integer overflow in qfixed_p.h when rendering SVG image on the minimal plugin

An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. When a SVG file with an image inside it is rendered, a QTextLayout buffer overflow can be triggered. Fixed in Qt 5.15.16, 6.2.10, and 6.5.2.

CVE-2023-37369

Potential buffer overflow in QXmlStreamReader

In Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2, there can be an application crash in QXmlStreamReader via a crafted XML string that triggers a situation in which a prefix is greater than a length. Fixed in Qt 5.15.16, 6.2.10, and 6.5.3.

CVE-2023-34410

Possible vulnerability regarding SSL implementation in Qt

An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2. Certificate validation for TLS does not always consider whether the root of a chain is a configured CA certificate. Fixed in Qt 5.15.16, 6.2.10, and 6.5.3.

CVE-2023-33285

QDnsLookup buffer overflow UB on Unix

An issue was discovered in Qt 5.x before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. QDnsLookup has a buffer over-read via a crafted reply from a DNS server. Fixed in Qt 5.15.15, 6.2.10, and 6.5.2.

CVE-2023-32762

Qt Network incorrectly parses the strict-transport-security (HSTS) header

An issue was discovered in Qt before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. Qt Network incorrectly parses the strict-transport-security (HSTS) header, allowing unencrypted connections to be established, even when explicitly prohibited by the server. This happens if the case used for this header does not exactly match. Fixed in Qt 5.15.15, 6.2.10, and 6.5.2.