[Development] [Announce] Security advisory: Recently reported denial of service issue in QColorTransferGenericFunction impacts Qt
Ilya Fedin
fedin-ilja2010 at ya.ru
Tue Jul 15 00:55:48 CEST 2025
On Fri, 11 Jul 2025 09:00:00 +0000
List for announcements regarding Qt releases and development via
Announce via Development <development at qt-project.org> wrote:
> Hi,
>
> When passing values outside of the expected range to
> QColorTransferGenericFunction it can cause a denial of service, for
> example, this can happen when passing a specifically crafted ICC
> profile to QColorSpace::fromICCProfile. This has been assigned the
> CVE id CVE-2025-5992. Affected versions: Qt from 6.8.0 through 6.8.3,
> from 6.9.0 through 6.9.1. Vulnerability Score: CVSS v4.0: 2.3
> Solution: As a workaround if you are loading ICC profiles then
> ensure that you are doing so from a trusted source. Alternatively,
> you can apply the appropriate patch for your Qt version: 6.9:
> https://download.qt.io/official_releases/qt/6.9/CVE-2025-5992-qtbase-6.9.patch
> or
> https://codereview.qt-project.org/c/qt/qtbase/+/657023<https://download.qt.io/official_releases/qt/6.9/CVE-2025-5992-qtbase-6.9.patch>
> 6.8:
> https://download.qt.io/official_releases/qt/6.8/CVE-2025-5992-qtbase-6.8.patch
> or
> https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/657094<https://download.qt.io/official_releases/qt/6.8/CVE-2025-5992-qtbase-6.8.patch>
> Kind regards,
>
> Andy
>
> --
>
> Andy Shaw,
>
> Director, Customer Services - SQS
>
> The Qt Company
>
>
>
>
> Confidential
Could it be used indirectly via other Qt APIs? Is e.g. reading images
via QImage from untrusted sources affected? Is there a full list of Qt
APIs affected?
More information about the Development
mailing list