Skip to main content

Ubuntu CVE-2025-10729

| EUVDEUVD-2025-32489 CRITICAL
Use After Free (CWE-416)
2025-10-03 a59d8014-47c4-4630-ab43-e1b13cbe58e3
Critical
Disputed · 9.4 NVD
Share

Severity by source

Sources disagree (Low–Critical)
NVD PRIMARY
9.4 CRITICAL
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/S:P/RE:H/U:Red
Ubuntu
MEDIUM
qualitative
SUSE
3.1 LOW
AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Red Hat
8.6 HIGH
qualitative

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/S:P/RE:H/U:Red
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
P

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 13, 2026 - 19:29 euvd
EUVD-2025-32489
Analysis Generated
Mar 13, 2026 - 19:29 vuln.today
CVE Published
Oct 03, 2025 - 16:16 nvd
CRITICAL 9.4

DescriptionCVE.org

The module will parse a <pattern> node which is not a child of a structural node. The node will be deleted after creation but might be accessed later leading to a use after free.

AnalysisAI

Use-after-free in SVG pattern parsing — pattern node deleted but accessed later.

Technical ContextAI

CWE-416.

RemediationAI

Apply fix.

Vendor StatusVendor

Ubuntu

Priority: Medium
qt6-svg
Release Status Version
jammy needs-triage -
noble needs-triage -
upstream needs-triage -
plucky ignored end of life, was needs-triage
questing needs-triage -
qtsvg-opensource-src
Release Status Version
bionic needed -
focal needed -
jammy needed -
noble needed -
upstream released 6.10.0
xenial needed -
plucky ignored end of life, was needed
questing needed -

Debian

Bug #1117445
qt6-svg
Release Status Fixed Version Urgency
bookworm vulnerable 6.4.2-2 -
trixie vulnerable 6.8.2-3 -
forky, sid vulnerable 6.9.2-5 -
(unstable) fixed (unfixed) -
qtsvg-opensource-src
Release Status Fixed Version Urgency
bullseye vulnerable 5.15.2-3 -
bookworm vulnerable 5.15.8-3 -
trixie vulnerable 5.15.15-2 -
forky, sid vulnerable 5.15.17-3 -
(unstable) fixed (unfixed) -

SUSE

Severity: Low
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Basesystem 15 SP7 Fixed
SUSE Linux Enterprise Module for Desktop Applications 15 SP7 Fixed

Share

CVE-2025-10729 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy