Vulnerability-Lookup

alsa-2025:9462

Vulnerability from osv_almalinux

Published

2025-06-24 00:00

Modified

2025-06-30 13:07

Summary

Moderate: qt5-qtbase security update

Details

Qt is a software toolkit for developing applications. The qt5-base packages contain base tools for string, xml, and network handling in Qt.

Security Fix(es):

qt5: qt6: QtCore Assertion Failure Denial of Service (CVE-2025-5455)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

References

URL

Type

	https://access.redhat.com/errata/RHSA-2025:9462	ADVISORY
	https://access.redhat.com/security/cve/CVE-2025-5455	REPORT
	https://bugzilla.redhat.com/2369722	REPORT
	https://errata.almalinux.org/9/ALSA-2025-9462.html	ADVISORY

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "qt5-qtbase"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.15.9-11.el9_6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "qt5-qtbase-common"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.15.9-11.el9_6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "qt5-qtbase-devel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.15.9-11.el9_6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "qt5-qtbase-examples"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.15.9-11.el9_6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "qt5-qtbase-gui"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.15.9-11.el9_6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "qt5-qtbase-mysql"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.15.9-11.el9_6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "qt5-qtbase-odbc"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.15.9-11.el9_6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "qt5-qtbase-postgresql"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.15.9-11.el9_6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "qt5-qtbase-private-devel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.15.9-11.el9_6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "qt5-qtbase-static"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.15.9-11.el9_6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "details": "Qt is a software toolkit for developing applications. The qt5-base packages contain base tools for string, xml, and network handling in Qt.   \n\nSecurity Fix(es):  \n\n  * qt5: qt6: QtCore Assertion Failure Denial of Service (CVE-2025-5455)\n\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n",
  "id": "ALSA-2025:9462",
  "modified": "2025-06-30T13:07:19Z",
  "published": "2025-06-24T00:00:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2025:9462"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2025-5455"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2369722"
    },
    {
      "type": "ADVISORY",
      "url": "https://errata.almalinux.org/9/ALSA-2025-9462.html"
    }
  ],
  "related": [
    "CVE-2025-5455"
  ],
  "summary": "Moderate: qt5-qtbase security update"
}

CVE-2025-5455 (GCVE-0-2025-5455)

Vulnerability from cvelistv5 – Published: 2025-06-02 08:46 – Updated: 2025-06-02 12:42

Title

Possible denial of service when passing malformed data in a URL to qDecodeDataUrl

Summary

An issue was found in the private API function qDecodeDataUrl() in QtCore, which is used in QTextDocument and QNetworkReply, and, potentially, in user code. If the function was called with malformed data, for example, an URL that contained a "charset" parameter that lacked a value (such as "data:charset,"), and Qt was built with assertions enabled, then it would hit an assertion, resulting in a denial of service (abort). This impacts Qt up to 5.15.18, 6.0.0->6.5.8, 6.6.0->6.8.3 and 6.9.0. This has been fixed in 5.15.19, 6.5.9, 6.8.4 and 6.9.1.

Severity ?

8.4 (High)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:H/SC:N/SI:H/SA:H/R:U/RE:M/U:Clear

CWE

CWE-20 - Improper Input Validation

Assigner

TQtC

References

URL

Tags

https://codereview.qt-project.org/c/qt/qtbase/+/642006

Impacted products

	Vendor	Product	Version
	The Qt Company	Qt	Affected: 0 , ≤ 5.15.18 (python) Affected: 6.0.0 , ≤ 6.5.8 (python) Unaffected: 6.5.9 (python) Affected: 6.6.0 , ≤ 6.8.3 (python) Unaffected: 6.8.4 (python) Affected: 6.9.0 (python) Unaffected: 6.9.1 (python)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-5455",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-06-02T12:39:49.722519Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-06-02T12:42:34.203Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Qt",
          "vendor": "The Qt Company",
          "versions": [
            {
              "lessThanOrEqual": "5.15.18",
              "status": "affected",
              "version": "0",
              "versionType": "python"
            },
            {
              "lessThanOrEqual": "6.5.8",
              "status": "affected",
              "version": "6.0.0",
              "versionType": "python"
            },
            {
              "status": "unaffected",
              "version": "6.5.9",
              "versionType": "python"
            },
            {
              "lessThanOrEqual": "6.8.3",
              "status": "affected",
              "version": "6.6.0",
              "versionType": "python"
            },
            {
              "status": "unaffected",
              "version": "6.8.4",
              "versionType": "python"
            },
            {
              "status": "affected",
              "version": "6.9.0",
              "versionType": "python"
            },
            {
              "status": "unaffected",
              "version": "6.9.1",
              "versionType": "python"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eAn issue was found in the private API function qDecodeDataUrl() in QtCore, which is used in QTextDocument and QNetworkReply, and, potentially, in user code.\u003c/p\u003e\u003cp\u003eIf the function was called with malformed data, for example, an URL that\ncontained a \"charset\" parameter that lacked a value (such as\n\"data:charset,\"), and Qt was built with assertions enabled, then it would hit an assertion, resulting in a denial of service\n(abort).\u003c/p\u003e\u003cp\u003eThis impacts Qt up to 5.15.18, 6.0.0-\u0026gt;6.5.8, 6.6.0-\u0026gt;6.8.3 and 6.9.0. This has been fixed in 5.15.19, 6.5.9, 6.8.4 and 6.9.1.\u003c/p\u003e\u003cbr\u003e"
            }
          ],
          "value": "An issue was found in the private API function qDecodeDataUrl() in QtCore, which is used in QTextDocument and QNetworkReply, and, potentially, in user code.\n\nIf the function was called with malformed data, for example, an URL that\ncontained a \"charset\" parameter that lacked a value (such as\n\"data:charset,\"), and Qt was built with assertions enabled, then it would hit an assertion, resulting in a denial of service\n(abort).\n\nThis impacts Qt up to 5.15.18, 6.0.0-\u003e6.5.8, 6.6.0-\u003e6.8.3 and 6.9.0. This has been fixed in 5.15.19, 6.5.9, 6.8.4 and 6.9.1."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "USER",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.4,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "providerUrgency": "CLEAR",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "ACTIVE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:H/SC:N/SI:H/SA:H/R:U/RE:M/U:Clear",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "MODERATE"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-20",
              "description": "CWE-20 Improper Input Validation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-02T08:46:20.524Z",
        "orgId": "a59d8014-47c4-4630-ab43-e1b13cbe58e3",
        "shortName": "TQtC"
      },
      "references": [
        {
          "url": "https://codereview.qt-project.org/c/qt/qtbase/+/642006"
        }
      ],
      "source": {
        "discovery": "INTERNAL"
      },
      "title": "Possible denial of service when passing malformed data in a URL to qDecodeDataUrl",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a59d8014-47c4-4630-ab43-e1b13cbe58e3",
    "assignerShortName": "TQtC",
    "cveId": "CVE-2025-5455",
    "datePublished": "2025-06-02T08:46:20.524Z",
    "dateReserved": "2025-06-02T08:31:36.081Z",
    "dateUpdated": "2025-06-02T12:42:34.203Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted