Affected versions are Qt 6.7 and later for both CVEs. Volker
> On 8 Oct 2025, at 09:18, Jan Grulich via Development > <[email protected]> wrote: > > Hi, > > Do these two CVEs also affect Qt5? Looking at the fixes and the code in Qt5 I > would say they are easily backportable, but the code there is not 1:1. Can > someone please confirm Qt5 is also affected? > > Thank you. > > Regards, > Jan Grulich > > pá 3. 10. 2025 v 16:48 odesílatel List for announcements regarding Qt > releases and development via Announce via Development > <[email protected]> napsal: > Two vulnerabilities in Qt SVG module have been discovered. Uncontrolled > recursion vulnerability has been assigned the CVE id CVE-2025-10728. Whereas > Use-After-Free vulnerability has been assigned the CVE id CVE-2025-10729. > > Uncontrolled recursion vulnerability in Qt SVG - CVE-2025-10728 > > Affected versions: From Qt 6.7.0 to 6.8.4 and from 6.9.0 to 6.9.2. > Impact: When the module renders a Svg file that contains a <pattern> > element, it might end up rendering it recursively leading to stack overflow > DoS. > CVSS 4.0 Score: 9.4 > > Mitigation: Ensure that all input to the Qt SVG module is only from trusted > sources. > Solution: Apply the following patch or update to Qt 6.9.3 or 6.8.5 > Patches: > dev: https://codereview.qt-project.org/c/qt/qtsvg/+/654200 > Qt 6.9: https://codereview.qt-project.org/c/qt/qtsvg/+/670894 or > https://download.qt.io/official_releases/qt/6.9/CVE-2025-10728-qtsvg-6.9.diff > Qt 6.8: https://codereview.qt-project.org/c/qt/tqtc-qtsvg/+/671537 or > https://download.qt.io/official_releases/qt/6.8/CVE-2025-10728-qtsvg-6.8.diff > > > Use-After-Free vulnerability in Qt SVG - CVE-2025-10729 > > Affected versions: From Qt 6.7.0 to 6.8.4 and from 6.9.0 to 6.9.2. > Impact: When the module parses a <pattern> node which is not a child of a > structural node, the node gets deleted after creation but might be accessed > later leading to a use after free. > CVSS 4.0 Score: 9.4 > Mitigation: Ensure that all input to the Qt SVG module is only from trusted > sources. > Solution: Apply the following patch or the patch attached or update to Qt > 6.9.3 or 6.8.5 > Patches: > dev: https://codereview.qt-project.org/c/qt/qtsvg/+/675562 > Qt 6.9: https://codereview.qt-project.org/c/qt/qtsvg/+/676501 or > https://download.qt.io/official_releases/qt/6.9/CVE-2025-10729-qtsvg-6.9.diff > Qt 6.8: https://codereview.qt-project.org/c/qt/tqtc-qtsvg/+/676621 or > https://download.qt.io/official_releases/qt/6.8/CVE-2025-10729-qtsvg-6.8.diff > ______________________ > Tuukka Kettunen > Senior Manager, Technical Support, Customer Engineering > > Confidential > _______________________________________________ > Announce mailing list > [email protected] > https://lists.qt-project.org/listinfo/announce > -- > Development mailing list > [email protected] > https://lists.qt-project.org/listinfo/development > > > -- > Development mailing list > [email protected] > https://lists.qt-project.org/listinfo/development -- Development mailing list [email protected] https://lists.qt-project.org/listinfo/development
