CVE-2025-12385

| EUVD-2025-201103 HIGH
2025-12-03 a59d8014-47c4-4630-ab43-e1b13cbe58e3
8.7
CVSS 4.0
Share

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None

Lifecycle Timeline

4
Patch Released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 15, 2026 - 16:14 euvd
EUVD-2025-201103
Analysis Generated
Mar 15, 2026 - 16:14 vuln.today
CVE Published
Dec 03, 2025 - 20:16 nvd
HIGH 8.7

Tags

Microsoft Apple Google Denial Of Service Ubuntu Debian Android Windows macOS

Description

Allocation of Resources Without Limits or Throttling, Improper Validation of Specified Quantity in Input vulnerability in The Qt Company Qt on Windows, MacOS, Linux, iOS, Android, x86, ARM, 64 bit, 32 bit allows Excessive Allocation. This issue affects users of the Text component in Qt Quick. Missing validation of the width and height in the <img> tag could cause an application to become unresponsive. This issue affects Qt: from 5.0.0 through 6.5.10, from 6.6.0 through 6.8.5, from 6.9.0 through 6.10.0.

Analysis

Allocation of Resources Without Limits or Throttling, Improper Validation of Specified Quantity in Input vulnerability in The Qt Company Qt on Windows, MacOS, Linux, iOS, Android, x86, ARM, 64 bit, 32 bit allows Excessive Allocation. This issue affects users of the Text component in Qt Quick. Missing validation of the width and height in the <img> tag could cause an application to become unresponsive.

This issue affects Qt: from 5.0.0 through 6.5.10, from 6.6.0 through 6.8.5, from 6.9.0 through 6.10.0.

Technical Context

A denial of service vulnerability allows an attacker to disrupt the normal functioning of a system, making it unavailable to legitimate users. This vulnerability is classified as Allocation of Resources Without Limits or Throttling (CWE-770).

Affected Products

Affected: Input vulnerability in The Qt Company Qt on Windows

Remediation

Implement rate limiting and input validation. Use timeout mechanisms for resource-intensive operations. Deploy DDoS protection where applicable.

Priority Score

44
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +44
POC: 0

Vendor Status

Ubuntu

Priority: Medium
qt6-declarative
Release Status Version
plucky ignored end of life, was needs-triage
jammy needed -
noble needed -
questing needed -
upstream released -
qtdeclarative-opensource-src
Release Status Version
plucky ignored end of life, was needs-triage
bionic needed -
focal needed -
jammy needed -
noble needed -
questing needed -
upstream released 5.15.17+dfsg-4
xenial needed -
qtdeclarative-opensource-src-gles
Release Status Version
plucky ignored end of life, was needs-triage
focal needed -
jammy needed -
noble needed -
questing needed -
upstream released -
xenial needed -

Debian

Bug #1122054
qt6-declarative
Release Status Fixed Version Urgency
bookworm vulnerable 6.4.2+dfsg-1 -
trixie vulnerable 6.8.2+dfsg-7 -
forky, sid vulnerable 6.9.2+dfsg-6 -
(unstable) fixed (unfixed) -
qtdeclarative-opensource-src
Release Status Fixed Version Urgency
bullseye vulnerable 5.15.2+dfsg-6 -
bookworm vulnerable 5.15.8+dfsg-3 -
trixie vulnerable 5.15.15+dfsg-3 -
forky, sid fixed 5.15.17+dfsg-4 -
(unstable) fixed 5.15.17+dfsg-4 -
qtdeclarative-opensource-src-gles
Release Status Fixed Version Urgency
bullseye vulnerable 5.15.2+dfsg-2 -
bookworm vulnerable 5.15.8+dfsg-1 -
trixie vulnerable 5.15.15+dfsg-2 -
forky, sid vulnerable 5.15.17+dfsg-2 -
experimental fixed 5.15.18+dfsg-1 -
(unstable) fixed (unfixed) -

Share

CVE-2025-12385 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy