Description
In Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2, there can be an application crash in QXmlStreamReader via a crafted XML string that triggers a situation in which a prefix is greater than a length.
References (6)
Core 6
Core References
Mailing List, Third Party Advisory mailing-list
https://lists.debian.org/debian-lts-announce/2023/08/msg00028.html
Mailing List, Third Party Advisory vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SZK7EDD4ILPPSQAYO54FANUC4NFYLTHU/
Mailing List, Third Party Advisory vendor-advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/O3JR3N3IF5MUSETGYE46OZFOGGPY3VZT/
Mailing List mailing-list
https://lists.debian.org/debian-lts-announce/2024/04/msg00027.html
Scores
CVSS v3
7.5
EPSS
0.0026
EPSS Percentile
49.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
Status
published
Products (2)
debian/debian_linux
10.0
qt/qt
< 5.15.15
Published
Aug 20, 2023
Tracked Since
Feb 18, 2026