[Development] [Announce] Security advisory: Type confusion and heap-buffer-overflow vulnerability in Qt SVG marker handling impacts Qt

Wed May 6 14:39:02 CEST 2026

Type Confusion and Heap-based Buffer Overflow vulnerability in the SVG marker and mask handling of the Qt SVG module has been discovered and has been assigned the CVE id CVE-2026-6210.

Impact: Loading and rendering an svg image can lead to pointers (QSvgNode *) being cast down to pointers to the wrong derived classes (QSvgMarker *, QSvgMask *) which can lead to executing a code path which does not expect endless recursion and therefore does not guard against it. The result is an application crash (denial of service).

CVSS 4.0 Score: 8.7 (HIGH)

Vector String:CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Mitigation: Ensure that all SVG content rendered by Qt SVG is only from trusted sources. Applications should validate and sanitize SVG content before loading, or implement additional security controls to restrict the sources of SVG files that can be loaded by users.

Solution: Apply the following patch or update to Qt 6.8.8 or Qt 6.11.1 or later.

Patches:
dev: https://codereview.qt-project.org/c/qt/qtsvg/+/724887
Qt 6.11: https://codereview.qt-project.org/c/qt/qtsvg/+/727507 or https://download.qt.io/official_releases/qt/6.11/CVE-2026-6210-qtsvg-6.11.diff
Qt 6.10: https://codereview.qt-project.org/c/qt/qtsvg/+/732200 or https://download.qt.io/official_releases/qt/6.10/CVE-2026-6210-qtsvg-6.10.diff
Qt 6.8: https://codereview.qt-project.org/c/qt/tqtc-qtsvg/+/727630 or https://download.qt.io/official_releases/qt/6.8/CVE-2026-6210-qtsvg-6.8.diff

Confidential
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.qt-project.org/pipermail/development/attachments/20260506/12bde3d6/attachment.htm>
-------------- next part --------------
_______________________________________________
Announce mailing list
Announce at qt-project.org
https://lists.qt-project.org/listinfo/announce