CVE-2021-38593 — Out-of-bounds Write in QT

CWE-787 — Out-of-bounds Write8 documents7 sources

Severity

7.5HIGHNVD

OSV5.3

EPSS

0.8%

top 25.37%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

QT Fedoraproject Fedora Debian Qtbase-opensource-src +9 more

Timeline

PublishedAug 12

Latest updateMay 24

Description

Qt 5.x before 5.15.6 and 6.x through 6.1.2 has an out-of-bounds write in QOutlineMapper::convertPath (called from QRasterPaintEngine::fill and QPaintEngineEx::stroke).

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages11 packages

▶NVDqt/qt5.0.0 — 5.15.6+1

▶msrcmsrc/cbl_mariner_1.0_arm

▶msrcmsrc/cbl_mariner_1.0_x64

▶msrcmsrc/cbl_mariner_2.0_arm

▶msrcmsrc/cbl_mariner_2.0_x64

Also affects: Fedora 35, 36

Patches

Patch: bugs.chromium.org ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-qfcf-2jfw-4cm8: Qt 5↗2022-05-24

▶

OSV

qtbase-opensource-src vulnerabilities↗2021-09-16

▶

OSV

CVE-2021-38593: Qt 5↗2021-08-12

▶

📋Vendor Advisories

Ubuntu

Qt vulnerabilities↗2021-09-16

▶

Microsoft

Qt 5.x before 5.15.6 and 6.x through 6.1.2 has an out-of-bounds write in QOutlineMapper::convertPath (called from QRasterPaintEngine::fill and QPaintEngineEx::stroke).↗2021-08-10

▶

Red Hat

qt: out-of-bounds write in QOutlineMapper::convertPath called from QRasterPaintEngine::fill and QPaintEngineEx::stroke↗2021-07-27

▶

Debian

CVE-2021-38593: qtbase-opensource-src - Qt 5.x before 5.15.6 and 6.x through 6.1.2 has an out-of-bounds write in QOutlin...↗2021

▶