CVE-2025-12385
published 2025-12-03CVE-2025-12385: Allocation of Resources Without Limits or Throttling, Improper Validation of Specified Quantity in Input vulnerability in The Qt Company Qt on Windows, MacOS…
PriorityP350high8.7CVSS 4.0
AVNACLATNPRNUINVCNVINVAHSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
0.26%
17.7th percentile
Allocation of Resources Without Limits or Throttling, Improper Validation of Specified Quantity in Input vulnerability in The Qt Company Qt on Windows, MacOS, Linux, iOS, Android, x86, ARM, 64 bit, 32 bit allows Excessive Allocation.
This issue affects users of the Text component in Qt Quick. Missing validation of the width and height in the tag could cause an application to become unresponsive.
This issue affects Qt: from 5.0.0 through 6.5.10, from 6.6.0 through 6.8.5, from 6.9.0 through 6.10.0.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | qt6-declarative | < qtdeclarative-opensource-src 5.15.17+dfsg-4 (forky) | qtdeclarative-opensource-src 5.15.17+dfsg-4 (forky) |
| debian | qtdeclarative-opensource-src | < qtdeclarative-opensource-src 5.15.17+dfsg-4 (forky) | qtdeclarative-opensource-src 5.15.17+dfsg-4 (forky) |
| debian | qtdeclarative-opensource-src-gles | < qtdeclarative-opensource-src 5.15.17+dfsg-4 (forky) | qtdeclarative-opensource-src 5.15.17+dfsg-4 (forky) |
| msrc | azl3_qtdeclarative_6.6.1-1_on_azure_linux_3.0 | — | — |
| msrc | cbl2_qt5-qtbase_5.12.11-18_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_qt5-qtdeclarative_5.12.5-5_on_cbl_mariner_2.0 | — | — |
| the_qt_company | qt | 5.0.0 – 6.5.10 | — |
| the_qt_company | qt | 6.6.0 – 6.8.5 | — |
| the_qt_company | qt | 6.9.0 – 6.10.0 | — |
| ubuntu | qtdeclarative-opensource-src | — | — |
CVSS provenance
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
osv8.7HIGH
vendor_debian8.7HIGH
vendor_msrc8.7HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-x9vj-67g7-457m: Allocation of Resources Without Limits or Throttling, Improper Validation of Specified Quantity in Input vulnerability in The Qt Company Qt on Windows
ghsa_unreviewed·2025-12-03
CVE-2025-12385 [HIGH] CWE-770 GHSA-x9vj-67g7-457m: Allocation of Resources Without Limits or Throttling, Improper Validation of Specified Quantity in Input vulnerability in The Qt Company Qt on Windows
Allocation of Resources Without Limits or Throttling, Improper Validation of Specified Quantity in Input vulnerability in The Qt Company Qt on Windows, MacOS, Linux, iOS, Android, x86, ARM, 64 bit, 32 bit allows Excessive Allocation.
This issue affects users of the Text component in Qt Quick. Missing validation of the width and height in the tag could cause an application to become unresponsive.
This issue affects Qt: from 5.0.0 through 6.5.10, from 6.6.0 through 6.8.5, from 6.9.0 through 6.10.0.
OSV
CVE-2025-12385: Allocation of Resources Without Limits or Throttling, Improper Validation of Specified Quantity in Input vulnerability in The Qt Company Qt on Windows
osv·2025-12-03·CVSS 8.7
CVE-2025-12385 [HIGH] CVE-2025-12385: Allocation of Resources Without Limits or Throttling, Improper Validation of Specified Quantity in Input vulnerability in The Qt Company Qt on Windows
Allocation of Resources Without Limits or Throttling, Improper Validation of Specified Quantity in Input vulnerability in The Qt Company Qt on Windows, MacOS, Linux, iOS, Android, x86, ARM, 64 bit, 32 bit allows Excessive Allocation. This issue affects users of the Text component in Qt Quick. Missing validation of the width and height in the tag could cause an application to become unresponsive. This issue affects Qt: from 5.0.0 through 6.5.10, from 6.6.0 through 6.8.5, from 6.9.0 through 6.10.0.
Ubuntu
Qt Declarative vulnerability
vendor_ubuntu·2026-06-01
CVE-2025-12385 Qt Declarative vulnerability
Title: Qt Declarative vulnerability
Summary: Qt Declarative could be made to use excessive resources if it received
specially crafted input.
It was discovered that Qt Declarative did not properly validate the
width and height attributes of image tags in the Text component of Qt
Quick. An attacker could possibly use this issue to cause Qt Declarative
to use excessive resources, leading to a denial of service.
Instructions: In general, a standard system update will make all the necessary changes.
Microsoft
Improper validation of <img> tag size in Text component parser
vendor_msrc·2025-12-09·CVSS 8.7
CVE-2025-12385 [HIGH] CWE-770 Improper validation of <img> tag size in Text component parser
Improper validation of tag size in Text component parser
Mariner: Mariner
TQtC: TQtC
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Reference: https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade
Debian
CVE-2025-12385: qt6-declarative - Allocation of Resources Without Limits or Throttling, Improper Validation of Spe...
vendor_debian·2025·CVSS 8.7
CVE-2025-12385 [HIGH] CVE-2025-12385: qt6-declarative - Allocation of Resources Without Limits or Throttling, Improper Validation of Spe...
Allocation of Resources Without Limits or Throttling, Improper Validation of Specified Quantity in Input vulnerability in The Qt Company Qt on Windows, MacOS, Linux, iOS, Android, x86, ARM, 64 bit, 32 bit allows Excessive Allocation. This issue affects users of the Text component in Qt Quick. Missing validation of the width and height in the tag could cause an application to become unresponsive. This issue affects Qt: from 5.0.0 through 6.5.10, from 6.6.0 through 6.8.5, from 6.9.0 through 6.10.0.
Scope: local
bookworm: open
forky: open
sid: open
trixie: open
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-12-03
Published