CVE-2022-40983
published 2023-01-12CVE-2022-40983: An integer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an integer…
PriorityP342high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EPSS
1.08%
60.9th percentile
An integer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an integer overflow during memory allocation, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | qt6-declarative | < qt6-declarative 6.4.2+dfsg~rc1-2 (bookworm) | qt6-declarative 6.4.2+dfsg~rc1-2 (bookworm) |
| debian | qtdeclarative-opensource-src | < qt6-declarative 6.4.2+dfsg~rc1-2 (bookworm) | qt6-declarative 6.4.2+dfsg~rc1-2 (bookworm) |
| debian | qtdeclarative-opensource-src-gles | < qt6-declarative 6.4.2+dfsg~rc1-2 (bookworm) | qt6-declarative 6.4.2+dfsg~rc1-2 (bookworm) |
| qt | qt | — | — |
| qt_project | qt | — | — |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
osv8.8HIGH
vendor_debian8.8LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CVE-2022-40983: An integer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6
osv·2023-01-12·CVSS 8.8
CVE-2022-40983 [HIGH] CVE-2022-40983: An integer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6
An integer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an integer overflow during memory allocation, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability.
GHSA
GHSA-32ph-rfjm-xcxh: An integer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6
ghsa_unreviewed·2023-01-12
CVE-2022-40983 [HIGH] CWE-190 GHSA-32ph-rfjm-xcxh: An integer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6
An integer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an integer overflow during memory allocation, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability.
Debian
CVE-2022-40983: qt6-declarative - An integer overflow vulnerability exists in the QML QtScript Reflect API of Qt P...
vendor_debian·2022·CVSS 8.8
CVE-2022-40983 [HIGH] CVE-2022-40983: qt6-declarative - An integer overflow vulnerability exists in the QML QtScript Reflect API of Qt P...
An integer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an integer overflow during memory allocation, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability.
Scope: local
bookworm: resolved (fixed in 6.4.2+dfsg~rc1-2)
forky: resolved (fixed in 6.4.2+dfsg~rc1-2)
sid: resolved (fixed in 6.4.2+dfsg~rc1-2)
trixie: resolved (fixed in 6.4.2+dfsg~rc1-2)
No detection rules found.
No public exploits indexed.
Talos
Vulnerability Spotlight: Integer and buffer overflow vulnerabilities found in QT QML
blogs_talos·2023-01-13·CVSS 8.8
[HIGH] Vulnerability Spotlight: Integer and buffer overflow vulnerabilities found in QT QML
## Vulnerability Spotlight: Integer and buffer overflow vulnerabilities found in QT QML
Emma Reuter and Theo Morales of ASIG and Aleksandar Nikolic of Cisco Talos discovered these vulnerabilities.
Cisco ASIG and Cisco Talos recently discovered code execution vulnerabilities in QT QML.
Qt is a popular software suite primarily used to create graphical user interfaces. It also contains several supporting libraries which all aim to enable cross-platform application development with a unified programming API.
QT has responded to vulnerability notifications with this statement: “We have analyzed your report, and our evaluation is that this is not a security issue, even though it is a real bug. Qt’s QML and JavaScript support is explicitly not designed for untrusted content... Each applicatio
Talos
Vulnerability Spotlight: Integer and buffer overflow vulnerabilities found in QT QML
blogs_talos·2023-01-13·CVSS 8.8
[HIGH] Vulnerability Spotlight: Integer and buffer overflow vulnerabilities found in QT QML
Emma Reuter and Theo Morales of ASIG and Aleksandar Nikolic of Cisco Talos discovered these vulnerabilities.
Cisco ASIG and Cisco Talos recently discovered code execution vulnerabilities in QT QML.
Qt is a popular software suite primarily used to create graphical user interfaces. It also contains several supporting libraries which all aim to enable cross-platform application development with a unified programming API.
QT has responded to vulnerability notifications with this statement: “We have analyzed your report, and our evaluation is that this is not a security issue, even though it is a real bug. Qt’s QML and JavaScript support is explicitly not designed for untrusted content... Each application that is passing untrusted input to QtQml needs to have an advisory instead and must tho
2023-01-12
Published