CVE-2026-6210
published 2026-05-06CVE-2026-6210: A type confusion vulnerability in Qt SVG allows an attacker to cause an application crash via a crafted SVG image. When processing SVG marker references, the…
PriorityP347high8.7CVSS 4.0
AVNACLATNPRNUINVCNVINVAHSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
0.28%
19.6th percentile
A type confusion vulnerability in Qt SVG allows an attacker to cause an application crash via a crafted SVG image.
When processing SVG marker references, the renderer retrieves a node by its id attribute and casts it to QSvgMarker* without verifying the node type. A non-marker element (such as a element) that references itself as a marker triggers an out-of-bounds heap read due to the object size difference between QSvgLine and QSvgMarker,
followed by an endless recursion that bypasses the marker recursion
guard through incorrect virtual dispatch. The result is an application
crash (denial of service).
This issue affects Qt SVG:
from 6.7.0 before 6.8.8, from 6.9.0 before 6.11.1.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| the_qt_company | qt | >= 6.7.0 < 6.8.8 | 6.8.8 |
| the_qt_company | qt | >= 6.9.0 < 6.11.1 | 6.11.1 |
CVSS provenance
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat8.7HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
Qt SVG: Qt SVG: Denial of Service via crafted SVG image
vendor_redhat·2026-05-06·CVSS 8.7
CVE-2026-6210 [HIGH] CWE-843 Qt SVG: Qt SVG: Denial of Service via crafted SVG image
Qt SVG: Qt SVG: Denial of Service via crafted SVG image
A flaw was found in Qt SVG. A remote attacker could exploit a vulnerability by providing a specially crafted SVG image. This issue arises from incorrect handling of SVG marker references, where the software misinterprets data types, leading to memory access errors and an infinite loop. This can cause the application to crash, resulting in a denial of service (DoS).
Mitigation: To mitigate this issue, avoid processing untrusted SVG images with applications that use Qt SVG. Users should exercise caution when opening SVG files from unknown or suspicious sources. If possible, configure applications to restrict the loading or rendering of SVG content from untrusted origins. This operational control reduces the attack surface by preventin
GHSA
GHSA-mh4x-qpf6-hr3q: A type confusion vulnerability in Qt SVG allows an attacker to cause an application crash via a crafted SVG image
ghsa_unreviewed·2026-05-06
CVE-2026-6210 [HIGH] CWE-122 GHSA-mh4x-qpf6-hr3q: A type confusion vulnerability in Qt SVG allows an attacker to cause an application crash via a crafted SVG image
A type confusion vulnerability in Qt SVG allows an attacker to cause an application crash via a crafted SVG image.
When processing SVG marker references, the renderer retrieves a node by its id attribute and casts it to QSvgMarker* without verifying the node type. A non-marker element (such as a element) that references itself as a marker triggers an out-of-bounds heap read due to the object size difference between QSvgLine and QSvgMarker,
followed by an endless recursion that bypasses the marker recursion
guard through incorrect virtual dispatch. The result is an application
crash (denial of service).
This issue affects Qt SVG:
from 6.7.0 before 6.8.8, from 6.9.0 before 6.11.1.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-6210 qt6-qtsvg: Qt SVG: Denial of Service via crafted SVG image [epel-all]
bugzilla·2026-05-15·CVSS 8.7
CVE-2026-6210 [HIGH] CVE-2026-6210 qt6-qtsvg: Qt SVG: Denial of Service via crafted SVG image [epel-all]
CVE-2026-6210 qt6-qtsvg: Qt SVG: Denial of Service via crafted SVG image [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-6210 qt5-qtsvg: Qt SVG: Denial of Service via crafted SVG image [epel-all]
bugzilla·2026-05-15·CVSS 8.7
CVE-2026-6210 [HIGH] CVE-2026-6210 qt5-qtsvg: Qt SVG: Denial of Service via crafted SVG image [epel-all]
CVE-2026-6210 qt5-qtsvg: Qt SVG: Denial of Service via crafted SVG image [epel-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-6210 mingw-qt5-qtsvg: Qt SVG: Denial of Service via crafted SVG image [fedora-all]
bugzilla·2026-05-15·CVSS 8.7
CVE-2026-6210 [HIGH] CVE-2026-6210 mingw-qt5-qtsvg: Qt SVG: Denial of Service via crafted SVG image [fedora-all]
CVE-2026-6210 mingw-qt5-qtsvg: Qt SVG: Denial of Service via crafted SVG image [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-6210 Qt SVG: Qt SVG: Denial of Service via crafted SVG image
bugzilla·2026-05-06·CVSS 8.7
CVE-2026-6210 [HIGH] CVE-2026-6210 Qt SVG: Qt SVG: Denial of Service via crafted SVG image
CVE-2026-6210 Qt SVG: Qt SVG: Denial of Service via crafted SVG image
A type confusion vulnerability in Qt SVG allows an attacker to cause an application crash via a crafted SVG image.
When processing SVG marker references, the renderer retrieves a node by its id attribute and casts it to QSvgMarker* without verifying the node type. A non-marker element (such as a element) that references itself as a marker triggers an out-of-bounds heap read due to the object size difference between QSvgLine and QSvgMarker,
followed by an endless recursion that bypasses the marker recursion
guard through incorrect virtual dispatch. The result is an application
crash (denial of service).
This issue affects Qt SVG:
from 6.7.0 before 6.8.8, from 6.9.0 before 6.11.1.
2026-05-06
Published