EUVD-2025-16625CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:H/SC:N/SI:H/SA:H/R:U/RE:M/U:Clear
Lifecycle Timeline
4DescriptionNVD
An issue was found in the private API function qDecodeDataUrl() in QtCore, which is used in QTextDocument and QNetworkReply, and, potentially, in user code.
If the function was called with malformed data, for example, an URL that contained a "charset" parameter that lacked a value (such as "data:charset,"), and Qt was built with assertions enabled, then it would hit an assertion, resulting in a denial of service (abort).
This impacts Qt up to 5.15.18, 6.0.0->6.5.8, 6.6.0->6.8.3 and 6.9.0. This has been fixed in 5.15.19, 6.5.9, 6.8.4 and 6.9.1.
AnalysisAI
Denial-of-service vulnerability in Qt's private qDecodeDataUrl() function that triggers an assertion failure when processing malformed data URLs with incomplete charset parameters. This affects Qt versions up to 5.15.18, 6.0.0-6.5.8, 6.6.0-6.8.3, and 6.9.0, impacting applications using QTextDocument and QNetworkReply. An attacker can crash Qt-based applications by sending a specially crafted data URL, resulting in service disruption; the vulnerability requires user interaction (UI involvement) but has a high CVSS score of 8.4 due to integrity and availability impact.
Technical ContextAI
The vulnerability exists in QtCore's private API function qDecodeDataUrl(), which is responsible for parsing and decoding RFC 2397 data URLs. This function is internally used by QTextDocument (for rendering rich text) and QNetworkReply (for handling network responses), making it a critical internal component. The root cause is CWE-20 (Improper Input Validation), where the function fails to properly validate the structure of data URL parameters, specifically the 'charset' parameter. When a malformed data URL containing 'charset,' (with no value) is passed to the function, and Qt is compiled with assertions enabled (common in debug builds), the code hits an assertion check that was intended to catch internal logic errors. This assertion failure causes immediate process termination rather than graceful error handling. The vulnerability affects the private API layer, meaning it may also impact user code that directly calls qDecodeDataUrl(), though this is less common.
RemediationAI
- Immediate: Upgrade to patched versions: Qt 5.15.19 or later (for 5.x users), Qt 6.5.9 or later (for 6.5.x users), Qt 6.8.4 or later (for 6.8.x users), or Qt 6.9.1 or later (for 6.9.x users). 2. Application-level mitigation: If immediate upgrade is not possible, implement input validation in application code that processes data URLs to reject malformed charset parameters before passing them to Qt functions. Validate that charset parameters have non-empty values following the format 'charset=<value>'. 3. Build configuration: If using affected Qt versions, compile with assertions disabled in production builds (using -DNDEBUG or equivalent), which will prevent the assertion failure from causing crashes (though the underlying bug remains). 4. Dependency audit: Identify all applications and libraries in your environment that depend on affected Qt versions and prioritize patching. 5. Monitor: Check Qt release notes and advisories for confirmation of fix completeness in each version.
Vendor StatusVendor
Ubuntu
Priority: Medium| Release | Status | Version |
|---|---|---|
| focal | DNE | - |
| jammy | needs-triage | - |
| noble | needs-triage | - |
| upstream | needs-triage | - |
| plucky | ignored | end of life, was needs-triage |
| oracular | ignored | end of life, was needs-triage |
| questing | needs-triage | - |
| Release | Status | Version |
|---|---|---|
| bionic | ignored | changes too intrusive |
| xenial | ignored | changes too intrusive |
| upstream | released | 5.15.19, 6.5.9, 6.8.4, 6.9.1 |
| oracular | ignored | end of life, was needs-triage |
| questing | not-affected | 5.15.17+dfsg-1ubuntu1 |
| focal | ignored | changes too intrusive |
| jammy | ignored | changes too intrusive |
| noble | ignored | changes too intrusive |
| plucky | ignored | end of life, was ignored [changes too intrusive] |
| Release | Status | Version |
|---|---|---|
| xenial | needs-triage | - |
| focal | needs-triage | - |
| jammy | needs-triage | - |
| noble | needs-triage | - |
| upstream | needs-triage | - |
| plucky | ignored | end of life, was needs-triage |
| oracular | ignored | end of life, was needs-triage |
| questing | needs-triage | - |
Debian
Bug #1108474| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bookworm | vulnerable | 6.4.2+dfsg-10 | - |
| trixie | fixed | 6.8.2+dfsg-9+deb13u1 | - |
| forky, sid | fixed | 6.9.2+dfsg-4 | - |
| (unstable) | fixed | 6.8.2+dfsg-8 | - |
| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bullseye | vulnerable | 5.15.2+dfsg-9+deb11u1 | - |
| bullseye (security) | vulnerable | 5.15.2+dfsg-9+deb11u2 | - |
| bookworm | vulnerable | 5.15.8+dfsg-11+deb12u3 | - |
| trixie | fixed | 5.15.15+dfsg-6+deb13u1 | - |
| forky, sid | fixed | 5.15.17+dfsg-7 | - |
| (unstable) | fixed | 5.15.15+dfsg-6 | - |
| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bullseye | fixed | 5.15.2+dfsg-4 | - |
| bookworm | fixed | 5.15.8+dfsg-3 | - |
| trixie | fixed | 5.15.15+dfsg-2 | - |
| forky, sid | fixed | 5.15.17+dfsg-2 | - |
| (unstable) | not-affected | - | - |
Share
External POC / Exploit Code
Leaving vuln.today