How to fix EUVD-2025-18092?

During next maintenance window: Apply vendor patches when convenient. Monitor vendor channels for updates.

Is Use After Free affected by EUVD-2025-18092?

CVE-2025-5991 is a low-severity vulnerability in There (CVSS 2.1). The limited severity suggests constrained impact, typically requiring specific conditions or local access for exploitation. Apply vendor updates when available as part of routine maintenance.

EUVD-2025-18092

| CVE-2025-5991 LOW

2025-06-11 a59d8014-47c4-4630-ab43-e1b13cbe58e3

2.1

CVSS 4.0

CVSS Vector

CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L

Attack Vector

Local

Attack Complexity

High

Privileges Required

None

User Interaction

None

Lifecycle Timeline

Patch Released

Mar 31, 2026 - 21:13 nvd

Patch available

Analysis Generated

Mar 14, 2026 - 21:09 vuln.today

EUVD ID Assigned

Mar 14, 2026 - 21:09 euvd

EUVD-2025-18092

CVE Published

Jun 11, 2025 - 08:15 nvd

LOW 2.1

Description

There is a "Use After Free" vulnerability in Qt's QHttp2ProtocolHandler in the QtNetwork module. This only affects HTTP/2 handling, HTTP handling is not affected by this at all. This happens due to a race condition between how QHttp2Stream uploads the body of a POST request and the simultaneous handling of HTTP error responses. This issue only affects Qt 6.9.0 and has been fixed for Qt 6.9.1.

Analysis

This issue only affects Qt 6.9.0 and has been fixed for Qt 6.9.1.

Technical Context

A use-after-free vulnerability occurs when a program continues to use a pointer after the referenced memory has been freed, leading to undefined behavior. This vulnerability is classified as Use After Free (CWE-416).

Affected Products

Affected: Qt 6

Remediation

Use memory-safe languages. Implement proper object lifecycle management. Use static and dynamic analysis tools to detect UAF patterns.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +10

POC: 0

Vendor Status

Ubuntu

Priority: Medium

qt6-base

Release	Status	Version
jammy	needs-triage	-
noble	needs-triage	-
upstream	needs-triage	-
oracular	ignored	end of life, was needs-triage
questing	needs-triage	-
plucky	ignored	end of life, was needs-triage

qtbase-opensource-src-gles

Release	Status	Version
xenial	needs-triage	-
focal	needs-triage	-
jammy	needs-triage	-
noble	needs-triage	-
upstream	needs-triage	-
oracular	ignored	end of life, was needs-triage
questing	needs-triage	-
plucky	ignored	end of life, was needs-triage

qtbase-opensource-src

Release	Status	Version
oracular	ignored	end of life, was needs-triage
upstream	released	6.9.1
focal	not-affected	code not present
bionic	not-affected	code not present
jammy	not-affected	code not present
noble	not-affected	code not present
plucky	not-affected	code not present
questing	not-affected	code not present
xenial	not-affected	code not present

Debian

qt6-base

Release	Status	Fixed Version	Urgency
bookworm	fixed	6.4.2+dfsg-10	-
trixie	fixed	6.8.2+dfsg-9+deb13u1	-
forky, sid	fixed	6.9.2+dfsg-4	-
(unstable)	not-affected	-	-

qtbase-opensource-src

Release	Status	Fixed Version	Urgency
bullseye	fixed	5.15.2+dfsg-9+deb11u1	-
bullseye (security)	fixed	5.15.2+dfsg-9+deb11u2	-
bookworm	fixed	5.15.8+dfsg-11+deb12u3	-
trixie	fixed	5.15.15+dfsg-6+deb13u1	-
forky, sid	fixed	5.15.17+dfsg-7	-
(unstable)	not-affected	-	-

qtbase-opensource-src-gles

Release	Status	Fixed Version	Urgency
bullseye	fixed	5.15.2+dfsg-4	-
bookworm	fixed	5.15.8+dfsg-3	-
trixie	fixed	5.15.15+dfsg-2	-
forky, sid	fixed	5.15.17+dfsg-2	-
(unstable)	not-affected	-	-

EUVD-2025-18092 vulnerability details – vuln.today

Back

EUVD-2025-18092

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Ubuntu

Debian

Share

EUVD-2025-18092

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Ubuntu

Debian

Share

External POC / Exploit Code