Description
A type confusion vulnerability in Qt SVG allows an attacker to cause an application crash via a crafted SVG image.



When processing SVG marker references, the renderer retrieves a node by its id attribute and casts it to QSvgMarker* without verifying the node type. A non-marker element (such as a <line> element) that references itself as a marker triggers an out-of-bounds heap read due to the object size difference between QSvgLine and QSvgMarker,
followed by an endless recursion that bypasses the marker recursion
guard through incorrect virtual dispatch. The result is an application
crash (denial of service).



This issue affects Qt SVG: 
from 6.7.0 before 6.8.8, from 6.9.0 before 6.11.1.
Published: 2026-05-06
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A type confusion flaw in Qt SVG marker handling causes a crafted SVG image to induce an out‑of‑bounds heap read and an unprotected recursive loop that bypasses the marker recursion guard. This results in a crash of the application, falling under a denial‑of‑service attack. The issue relies on a mismatch between expected object types, mapping to CWE‑122 (Buffer Overflow) and CWE‑843 (Type Confusion).

Affected Systems

The Qt Company’s Qt framework, specifically the Qt SVG module, is affected. Versions from 6.7.0 up to but excluding 6.8.8, and from 6.9.0 up to but excluding 6.11.1, are vulnerable.

Risk and Exploitability

The vulnerability has a CVSS score of 8.7, indicating high severity. No EPSS score is available, so the exploitation probability remains uncertain, though the base score indicates a significant risk. The flaw is not listed in the CISA KEV catalog, indicating no confirmed widespread exploitation yet. Attackers only need to provide a malicious SVG file that the Qt application processes. Based on the description, it is inferred that the attack can be carried out with a local or network‑sourced SVG file. No additional authentication or privilege is required beyond the ability to load SVG content.

Generated by OpenCVE AI on May 6, 2026 at 15:56 UTC.

Remediation

Vendor Solution

Apply fix: https://codereview.qt-project.org/c/qt/qtsvg/+/724887

OpenCVE Recommended Actions

  • Update Qt to the patched version (at least 6.8.8 or 6.11.1) by applying the fix available through the provided code review link.
  • If an immediate upgrade is impossible, prevent the application from loading untrusted SVG files or disable marker processing entirely to avoid the crash scenario.
  • Implement process isolation or sandboxing for the SVG rendering component so that even if a crash occurs, the rest of the application remains functional.

Generated by OpenCVE AI on May 6, 2026 at 15:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 06 May 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared The Qt Company
The Qt Company qt
Vendors & Products The Qt Company
The Qt Company qt

Wed, 06 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 06 May 2026 12:15:00 +0000

Type Values Removed Values Added
Description A type confusion vulnerability in Qt SVG allows an attacker to cause an application crash via a crafted SVG image. When processing SVG marker references, the renderer retrieves a node by its id attribute and casts it to QSvgMarker* without verifying the node type. A non-marker element (such as a <line> element) that references itself as a marker triggers an out-of-bounds heap read due to the object size difference between QSvgLine and QSvgMarker, followed by an endless recursion that bypasses the marker recursion guard through incorrect virtual dispatch. The result is an application crash (denial of service). This issue affects Qt SVG:  from 6.7.0 before 6.8.8, from 6.9.0 before 6.11.1.
Title Type confusion and heap-buffer-overflow in Qt SVG marker handling causing application crash
Weaknesses CWE-122
CWE-843
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

The Qt Company Qt
cve-icon MITRE

Status: PUBLISHED

Assigner: TQtC

Published:

Updated: 2026-05-06T13:11:44.674Z

Reserved: 2026-04-13T12:16:27.416Z

Link: CVE-2026-6210

cve-icon Vulnrichment

Updated: 2026-05-06T13:11:37.140Z

cve-icon NVD

Status : Received

Published: 2026-05-06T12:16:49.957

Modified: 2026-05-06T12:16:49.957

Link: CVE-2026-6210

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T19:30:10Z

Weaknesses