CVE-2025-10729

CVSS v4.0

9.4

Critical

Vector

AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/S:P/RE:H/U:Red

Name of the Vulnerable Software and Affected Versions Qt versions 6.7.0 through 6.9.0 Qt6-svg qtsvg-opensource-src

Description The issue is a use-after-free condition within the Qt framework, specifically related to the parsing of SVG files. The renderPattern() function and the SVG module are affected. The vulnerability occurs when a node is deleted after creation but is subsequently accessed, leading to a use-after-free scenario. This could allow an attacker to execute arbitrary code or cause a denial of service. The vulnerability impacts applications utilizing the Qt SVG module.

Recommendations Update to Qt version 6.9.3. For systems using qt6-svg, apply the available security patch. For systems using qtsvg-opensource-src, apply the available security patch.

Fix

RCE

DoS

Use After Free

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-416

Related Identifiers

ALSA-2025:19772

AZL-68199

AZL-68208

BDU:2025-13426

CVE-2025-10729

OESA-2026-1645

OESA-2026-1646

OESA-2026-1647

OESA-2026-1648

OESA-2026-1649

OPENSUSE-SU-2025:15630-1

RHSA-2025:19772

RHSA-2025:21037

Affected Products

Debian

Qt 6.7.0

Qt 6.9.0

CVE-2025-10729

Weakness Enumeration

Related Identifiers

Affected Products

References · 40