CVE-2022-25255 in Qt
Summary
by MITRE • 02/16/2022
In Qt 5.9.x through 5.15.x before 5.15.9 and 6.x before 6.2.4 on Linux and UNIX, QProcess could execute a binary from the current working directory when not found in the PATH.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 03/09/2026
This vulnerability exists in Qt framework versions 5.9.x through 5.15.x before 5.15.9 and 6.x before 6.2.4 on Linux and UNIX systems where QProcess fails to properly validate executable paths when searching for binaries. The flaw occurs during process execution when the application attempts to launch a command that is not present in the system PATH environment variable. Instead of strictly enforcing path resolution from the PATH variable, QProcess falls back to executing binaries from the current working directory, creating a dangerous privilege escalation vector. This behavior violates the principle of least privilege and allows malicious actors to exploit the system by placing malicious executables in directories where legitimate applications execute commands.
The technical implementation of this vulnerability stems from improper path validation within the QProcess implementation in Qt's core library. When an application calls QProcess to execute a command, the framework should only execute binaries that are explicitly specified in the PATH environment variable or are absolute paths. However, due to a design flaw, QProcess performs a search that includes the current working directory in its path resolution algorithm, effectively allowing any executable in the current directory to be executed with the privileges of the running application. This vulnerability is categorized under CWE-20, Improper Input Validation, and specifically relates to CWE-78, Improper Neutralization of Special Elements used in an OS Command, as it allows for arbitrary code execution through command injection mechanisms.
The operational impact of this vulnerability is significant as it can be exploited by attackers to gain unauthorized code execution on systems running vulnerable Qt applications. Attackers can place malicious binaries with the same names as commonly used system commands in the current working directory of vulnerable applications, causing the application to execute the malicious version instead of the legitimate system binary. This can lead to privilege escalation, data exfiltration, or system compromise depending on the application's privileges and the malicious binary's functionality. The vulnerability affects any Qt-based application that uses QProcess to execute external commands, making it particularly dangerous in environments where applications might be run with elevated privileges or where users have write access to application directories.
Mitigation strategies for this vulnerability include immediate patching of Qt framework installations to versions 5.15.9 or 6.2.4 and later, which contain the necessary fixes to prevent path resolution from falling back to the current working directory. Organizations should also implement proper application hardening measures such as setting restrictive permissions on application directories, ensuring that applications run with minimal required privileges, and implementing proper input validation for all command execution scenarios. Additionally, security monitoring should be enhanced to detect suspicious file creation patterns in application working directories, particularly when applications are running with elevated privileges. This vulnerability aligns with ATT&CK technique T1059.001 for Command and Scripting Interpreter and T1548.001 for Abuse of System Permissions, as it enables attackers to execute arbitrary commands with system privileges and exploit application permissions to escalate access levels.