CVE-2025-5991
BaseFortify
Publication date: 2025-06-11
Last updated on: 2025-06-12
Assigner: TQtC
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-416 | The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Use After Free issue in Qt's QHttp2ProtocolHandler within the QtNetwork module. It occurs specifically in HTTP/2 handling due to a race condition between how QHttp2Stream uploads the body of a POST request and the simultaneous handling of HTTP error responses. This can lead to accessing memory that has already been freed.
How can this vulnerability impact me? :
The vulnerability could potentially lead to unexpected behavior or crashes in applications using the affected Qt version (6.9.0) when handling HTTP/2 POST requests, due to the Use After Free condition. However, the CVSS score is low (2.1), indicating limited impact and requiring local attack vector with high complexity.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Qt from version 6.9.0 to version 6.9.1 or later, as the vulnerability has been fixed in Qt 6.9.1.