CVE-2026-6210
Awaiting Analysis Awaiting Analysis - Queue
Type Confusion in Qt SVG via Malicious SVG Image

Publication date: 2026-05-06

Last updated on: 2026-05-06

Assigner: TQtC

Description
A type confusion vulnerability in Qt SVG allows an attacker to cause an application crash via a crafted SVG image. When processing SVG marker references, the renderer retrieves a node by its id attribute and casts it to QSvgMarker* without verifying the node type. A non-marker element (such as a <line> element) that references itself as a marker triggers an out-of-bounds heap read due to the object size difference between QSvgLine and QSvgMarker, followed by an endless recursion that bypasses the marker recursion guard through incorrect virtual dispatch. The result is an application crash (denial of service). This issue affects Qt SVG:Β  from 6.7.0 before 6.8.8, from 6.9.0 before 6.11.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-06
Last Modified
2026-05-06
Generated
2026-06-16
AI Q&A
2026-05-06
EPSS Evaluated
2026-06-15
NVD
CVE-2026-6210
EUVD
EUVD-2026-27681
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
qt svg From 6.7.0 (inc) to 6.8.8 (exc)
qt svg From 6.9.0 (inc) to 6.11.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-122 A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().
CWE-843 The product allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a type confusion issue in Qt SVG where the renderer incorrectly casts a node retrieved by its id attribute to a QSvgMarker* without verifying the actual node type.

If a non-marker element, such as a <line> element, references itself as a marker, it causes an out-of-bounds heap read due to differences in object sizes between QSvgLine and QSvgMarker.

This leads to endless recursion that bypasses the marker recursion guard because of incorrect virtual dispatch, ultimately causing the application to crash, resulting in a denial of service.

Impact Analysis

The primary impact of this vulnerability is that an attacker can cause an application using Qt SVG to crash by providing a specially crafted SVG image.

This crash results in a denial of service, potentially disrupting normal application operations and availability.

Compliance Impact

The vulnerability described is a type confusion issue in Qt SVG that leads to an application crash (denial of service) when processing crafted SVG images.

There is no information provided in the context or resources about any impact on data confidentiality, integrity, or availability beyond causing a denial of service.

Because the vulnerability results in denial of service without indication of data breach or unauthorized data access, there is no direct evidence from the provided information that it affects compliance with standards like GDPR or HIPAA.

Mitigation Strategies

To mitigate this vulnerability, you should update the Qt SVG component to a fixed version. Specifically, upgrade from versions 6.7.0 before 6.8.8 or from 6.9.0 before 6.11.1 to a version that includes the fix.

Avoid processing untrusted or crafted SVG images that could exploit the type confusion vulnerability until the update is applied.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-6210. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart