CVE-2025-5683 — Allocation of Resources Without Limits or Throttling in QT

CWE-770 — Allocation of Resources Without Limits or Throttling5 documents5 sources

Severity

5.1MEDIUMNVD

EPSS

0.2%

top 61.86%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

QT Debian Qt6-imageformats Debian Qtimageformats-opensource-src +1 more

Timeline

PublishedJun 5

Description

When loading a specifically crafted ICNS format image file in QImage then it will trigger a crash. This issue affects Qt from versions 6.3.0 through 6.5.9, from 6.6.0 through 6.8.4, 6.9.0. This is fixed in 6.5.10, 6.8.5 and 6.9.1.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L

Affected Packages4 packages

▶debiandebian/qt6-imageformats< qt6-imageformats 6.8.2-4 (forky)

▶debiandebian/qtimageformats-opensource-src< qt6-imageformats 6.8.2-4 (forky)

▶NVDqt/qt6.3.0 — 6.5.10+2

▶CVEListV5the_qt_company/qt6.3.0 — 6.5.9+2

Patches

Patch: codereview.qt-project.org ↗Patch: issues.oss-fuzz.com ↗

🔴Vulnerability Details

GHSA

GHSA-5mw2-w8pc-m6p6: When loading a specifically crafted ICNS format image file in QImage then it will trigger a crash↗2025-06-05

▶

OSV

CVE-2025-5683: When loading a specifically crafted ICNS format image file in QImage then it will trigger a crash↗2025-06-05

▶

📋Vendor Advisories

Red Hat

qt: Qt ICNS Image Crash Vulnerability↗2025-06-05

▶

Debian

CVE-2025-5683: qt6-imageformats - When loading a specifically crafted ICNS format image file in QImage then it wil...↗2025

▶