Skip to main content

Qt SVG CVE-2026-6210

| EUVDEUVD-2026-27681 HIGH
Access of Resource Using Incompatible Type (Type Confusion) (CWE-843)
2026-05-06 TQtC GHSA-mh4x-qpf6-hr3q
8.7
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Red Hat
6.5 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
May 06, 2026 - 14:00 vuln.today
Patch available
May 06, 2026 - 13:32 EUVD
CVSS changed
May 06, 2026 - 12:22 NVD
8.7 (HIGH)

DescriptionCVE.org

A type confusion vulnerability in Qt SVG allows an attacker to cause an application crash via a crafted SVG image.

When processing SVG marker references, the renderer retrieves a node by its id attribute and casts it to QSvgMarker* without verifying the node type. A non-marker element (such as a <line> element) that references itself as a marker triggers an out-of-bounds heap read due to the object size difference between QSvgLine and QSvgMarker, followed by an endless recursion that bypasses the marker recursion guard through incorrect virtual dispatch. The result is an application crash (denial of service).

This issue affects Qt SVG: from 6.7.0 before 6.8.8, from 6.9.0 before 6.11.1.

AnalysisAI

Type confusion in Qt SVG renderer allows remote denial of service through malicious SVG images. Attackers can craft SVG files with self-referencing marker elements that trigger out-of-bounds heap reads and infinite recursion, crashing applications that parse the SVG. Affects Qt 6.7.0-6.8.7 and 6.9.0-6.11.0. Vendor patch available via code review platform. CVSS 8.7 reflects network delivery vector with no authentication required, though actual exploitation requires victim to open or render the crafted SVG file.

Technical ContextAI

Qt SVG is The Qt Company's module for rendering Scalable Vector Graphics within Qt applications. The vulnerability stems from unsafe type casting (CWE-843: Access of Resource Using Incompatible Type) in the SVG marker reference processing code. SVG markers are graphical elements used to decorate path endpoints or vertices. The renderer's QSvgMarker casting logic assumes any node retrieved by ID is the expected type without runtime verification. When a non-marker element like QSvgLine references itself as a marker, the size mismatch between QSvgLine and QSvgMarker objects causes out-of-bounds heap memory access. The incorrect virtual function dispatch then bypasses the recursion guard designed to prevent infinite loops, resulting in stack exhaustion. This type confusion pattern is common in parsers handling polymorphic DOM structures where node type assumptions are not validated.

RemediationAI

Upgrade Qt SVG to version 6.8.8 or later for the 6.7.x-6.8.x series, or to version 6.11.1 or later for the 6.9.x-6.11.x series. Vendor-released patch available through Qt's code review system at https://codereview.qt-project.org/c/qt/qtsvg/+/724887. For organizations unable to upgrade immediately, implement input validation to reject SVG files containing self-referential marker definitions (elements with marker-start, marker-mid, or marker-end attributes pointing to their own ID). Deploy application-level sandboxing or resource limits (stack size, CPU time) to contain crashes and prevent denial of service escalation. Note that SVG filtering may break legitimate use cases where complex marker graphs are required. Restrict SVG processing to trusted sources where possible, though this does not eliminate risk from compromised or malicious content providers. Monitor application crash logs for patterns indicating SVG parsing failures as an early detection mechanism.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP7 Fixed
SUSE Linux Enterprise Server 16.0 Fixed
SUSE Linux Enterprise Server 16.1 Fixed
SUSE Linux Enterprise Server for SAP applications 16.0 Fixed

Share

CVE-2026-6210 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy