Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
A type confusion vulnerability in Qt SVG allows an attacker to cause an application crash via a crafted SVG image.
When processing SVG marker references, the renderer retrieves a node by its id attribute and casts it to QSvgMarker* without verifying the node type. A non-marker element (such as a <line> element) that references itself as a marker triggers an out-of-bounds heap read due to the object size difference between QSvgLine and QSvgMarker, followed by an endless recursion that bypasses the marker recursion guard through incorrect virtual dispatch. The result is an application crash (denial of service).
This issue affects Qt SVG: from 6.7.0 before 6.8.8, from 6.9.0 before 6.11.1.
AnalysisAI
Type confusion in Qt SVG renderer allows remote denial of service through malicious SVG images. Attackers can craft SVG files with self-referencing marker elements that trigger out-of-bounds heap reads and infinite recursion, crashing applications that parse the SVG. Affects Qt 6.7.0-6.8.7 and 6.9.0-6.11.0. Vendor patch available via code review platform. CVSS 8.7 reflects network delivery vector with no authentication required, though actual exploitation requires victim to open or render the crafted SVG file.
Technical ContextAI
Qt SVG is The Qt Company's module for rendering Scalable Vector Graphics within Qt applications. The vulnerability stems from unsafe type casting (CWE-843: Access of Resource Using Incompatible Type) in the SVG marker reference processing code. SVG markers are graphical elements used to decorate path endpoints or vertices. The renderer's QSvgMarker casting logic assumes any node retrieved by ID is the expected type without runtime verification. When a non-marker element like QSvgLine references itself as a marker, the size mismatch between QSvgLine and QSvgMarker objects causes out-of-bounds heap memory access. The incorrect virtual function dispatch then bypasses the recursion guard designed to prevent infinite loops, resulting in stack exhaustion. This type confusion pattern is common in parsers handling polymorphic DOM structures where node type assumptions are not validated.
RemediationAI
Upgrade Qt SVG to version 6.8.8 or later for the 6.7.x-6.8.x series, or to version 6.11.1 or later for the 6.9.x-6.11.x series. Vendor-released patch available through Qt's code review system at https://codereview.qt-project.org/c/qt/qtsvg/+/724887. For organizations unable to upgrade immediately, implement input validation to reject SVG files containing self-referential marker definitions (elements with marker-start, marker-mid, or marker-end attributes pointing to their own ID). Deploy application-level sandboxing or resource limits (stack size, CPU time) to contain crashes and prevent denial of service escalation. Note that SVG filtering may break legitimate use cases where complex marker graphs are required. Restrict SVG processing to trusted sources where possible, though this does not eliminate risk from compromised or malicious content providers. Monitor application crash logs for patterns indicating SVG parsing failures as an early detection mechanism.
Same technique Denial Of Service
View allVendor StatusVendor
SUSE
Severity: Medium| Product | Status |
|---|---|
| openSUSE Tumbleweed | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP7 | Fixed |
| SUSE Linux Enterprise Server 16.0 | Fixed |
| SUSE Linux Enterprise Server 16.1 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.0 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.1 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP6 | Fixed |
| openSUSE Leap 15.6 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-27681
GHSA-mh4x-qpf6-hr3q