CVE-2022-43591
published 2023-01-12CVE-2022-43591: A buffer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an out-of-bounds…
PriorityP343high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EPSS
1.14%
62.8th percentile
A buffer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an out-of-bounds memory access, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | qt6-declarative | < qt6-declarative 6.4.2+dfsg~rc1-2 (bookworm) | qt6-declarative 6.4.2+dfsg~rc1-2 (bookworm) |
| debian | qtdeclarative-opensource-src | < qt6-declarative 6.4.2+dfsg~rc1-2 (bookworm) | qt6-declarative 6.4.2+dfsg~rc1-2 (bookworm) |
| debian | qtdeclarative-opensource-src-gles | < qt6-declarative 6.4.2+dfsg~rc1-2 (bookworm) | qt6-declarative 6.4.2+dfsg~rc1-2 (bookworm) |
| qt | qt | — | — |
| qt_project | qt | — | — |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
osv8.8HIGH
vendor_debian8.8LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-hvpm-p42q-mxrw: A buffer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6
ghsa_unreviewed·2023-01-12
CVE-2022-43591 [HIGH] CWE-122 GHSA-hvpm-p42q-mxrw: A buffer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6
A buffer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an out-of-bounds memory access, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability.
OSV
CVE-2022-43591: A buffer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6
osv·2023-01-12·CVSS 8.8
CVE-2022-43591 [HIGH] CVE-2022-43591: A buffer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6
A buffer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an out-of-bounds memory access, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability.
Debian
CVE-2022-43591: qt6-declarative - A buffer overflow vulnerability exists in the QML QtScript Reflect API of Qt Pro...
vendor_debian·2022·CVSS 8.8
CVE-2022-43591 [HIGH] CVE-2022-43591: qt6-declarative - A buffer overflow vulnerability exists in the QML QtScript Reflect API of Qt Pro...
A buffer overflow vulnerability exists in the QML QtScript Reflect API of Qt Project Qt 6.3.2. A specially-crafted javascript code can trigger an out-of-bounds memory access, which can lead to arbitrary code execution. Target application would need to access a malicious web page to trigger this vulnerability.
Scope: local
bookworm: resolved (fixed in 6.4.2+dfsg~rc1-2)
forky: resolved (fixed in 6.4.2+dfsg~rc1-2)
sid: resolved (fixed in 6.4.2+dfsg~rc1-2)
trixie: resolved (fixed in 6.4.2+dfsg~rc1-2)
No detection rules found.
No public exploits indexed.
Talos
Vulnerability Spotlight: Integer and buffer overflow vulnerabilities found in QT QML
blogs_talos·2023-01-13·CVSS 8.8
[HIGH] Vulnerability Spotlight: Integer and buffer overflow vulnerabilities found in QT QML
## Vulnerability Spotlight: Integer and buffer overflow vulnerabilities found in QT QML
Emma Reuter and Theo Morales of ASIG and Aleksandar Nikolic of Cisco Talos discovered these vulnerabilities.
Cisco ASIG and Cisco Talos recently discovered code execution vulnerabilities in QT QML.
Qt is a popular software suite primarily used to create graphical user interfaces. It also contains several supporting libraries which all aim to enable cross-platform application development with a unified programming API.
QT has responded to vulnerability notifications with this statement: “We have analyzed your report, and our evaluation is that this is not a security issue, even though it is a real bug. Qt’s QML and JavaScript support is explicitly not designed for untrusted content... Each applicatio
Talos
Vulnerability Spotlight: Integer and buffer overflow vulnerabilities found in QT QML
blogs_talos·2023-01-13·CVSS 8.8
[HIGH] Vulnerability Spotlight: Integer and buffer overflow vulnerabilities found in QT QML
Emma Reuter and Theo Morales of ASIG and Aleksandar Nikolic of Cisco Talos discovered these vulnerabilities.
Cisco ASIG and Cisco Talos recently discovered code execution vulnerabilities in QT QML.
Qt is a popular software suite primarily used to create graphical user interfaces. It also contains several supporting libraries which all aim to enable cross-platform application development with a unified programming API.
QT has responded to vulnerability notifications with this statement: “We have analyzed your report, and our evaluation is that this is not a security issue, even though it is a real bug. Qt’s QML and JavaScript support is explicitly not designed for untrusted content... Each application that is passing untrusted input to QtQml needs to have an advisory instead and must tho
2023-01-12
Published