CVE-2025-5683 in Qt
Summary
by MITRE • 06/05/2025
When loading a specifically crafted ICNS format image file in QImage then it will trigger a crash. This issue affects Qt from versions 6.3.0 through 6.5.9, from 6.6.0 through 6.8.4, 6.9.0. This is fixed in 6.5.10, 6.8.5 and 6.9.1.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 10/16/2025
The vulnerability described in CVE-2025-5683 represents a critical heap-based buffer overflow condition within the Qt framework's image handling capabilities. This flaw specifically manifests when the QImage class processes specially crafted ICNS format image files, which are Apple Icon Image format files commonly used for storing multiple icon sizes within a single file structure. The vulnerability exists across multiple Qt version ranges including 6.3.0 through 6.5.9, 6.6.0 through 6.8.4, and 6.9.0, indicating a widespread impact within the Qt ecosystem that has affected developers and applications relying on Qt's cross-platform graphics capabilities.
The technical implementation of this vulnerability stems from insufficient input validation and boundary checking within the ICNS file parser within Qt's QImage component. When processing malformed ICNS files, the parsing logic fails to properly validate the size fields within the image file structure, leading to memory allocation based on incorrect or maliciously crafted size parameters. This results in buffer overflows that can overwrite adjacent memory regions, potentially causing application crashes, memory corruption, or in more severe cases, arbitrary code execution. The vulnerability falls under CWE-121 Heap-based Buffer Overflow, which is classified as a critical weakness in memory safety. The issue demonstrates characteristics consistent with attack patterns documented in the MITRE ATT&CK framework under T1059.007 Command and Scripting Interpreter: Python and T1203 Exploitation for Client Execution, as it represents a remote code execution vector through crafted file manipulation.
The operational impact of this vulnerability extends beyond simple application instability, as it affects any Qt-based application that processes image files from untrusted sources. Applications using Qt's QImage functionality for loading icons, images, or graphics content are at risk when handling user-uploaded or externally sourced ICNS files. This includes desktop applications, web browsers using Qt for rendering, mobile applications, and embedded systems that rely on Qt's graphics libraries. The vulnerability's exploitation potential increases significantly in environments where applications automatically process user-provided content without proper sanitization or validation. Security researchers have noted that this type of vulnerability is particularly dangerous in web applications or services that accept file uploads, as attackers can craft malicious ICNS files to trigger crashes or potentially execute code on affected systems. The fix addresses the issue by implementing proper bounds checking and input validation within the ICNS parser, ensuring that memory allocations are performed only with validated size parameters. The affected versions were resolved in Qt releases 6.5.10, 6.8.5, and 6.9.1, which included patches that strengthen the validation logic and prevent the buffer overflow conditions from occurring during image file processing. Organizations using Qt frameworks should immediately evaluate their applications for potential exposure and apply the appropriate patches to mitigate the risk of exploitation.