CVE-2024-25580

Published Mar 27, 2024

Last updated 6 months ago

CVSS medium 6.2

Overview

Description
An issue was discovered in gui/util/qktxhandler.cpp in Qt before 5.15.17, 6.x before 6.2.12, 6.3.x through 6.5.x before 6.5.5, and 6.6.x before 6.6.2. A buffer overflow and application crash can occur via a crafted KTX image file.
Source
cve@mitre.org
NVD status
Modified
Products
qt

Risk scores

CVSS 3.1

Type
Secondary
Base score
6.2
Impact score
3.6
Exploitability score
2.5
Vector string
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Severity
MEDIUM

Weaknesses

134c704f-9b21-4f2e-91b3-4a467353bcc0
CWE-120

Social media

Hype score
Not currently trending

  1. Critical #Qt vulnerability (CVE-2024-25580) impacts #Ubuntu 20.04/22.04 LTS. Memory corruption flaw allows DoS or arbitrary code execution via a crafted file Read more: 👉 https://t.co/TteqYGSrOc #Security https://t.co/i7XnEA4vkV

    @Cezar_H_Linux

    11 Dec 2025

    1 Impression

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. Critical security update for #Qt framework users on #Ubuntu. Vulnerability CVE-2024-25580 allows crafted files to crash apps or execute malicious code via memory corruption. Read more: 👉https://t.co/yZZrB63kGn #Security https://t.co/y22VJrsVcK

    @Cezar_H_Linux

    11 Dec 2025

    10 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. When loading a specifically crafted ICNS format image file in QImage then it will trigger a crash. This issue affects Qt from versions 6.3.0 through 6.5.9, from 6.6.0 through 6.8.4, 6.9.0. This is fixed in 6.5.10, 6.8.5 and 6.9.1.CVE-2025-5683
  2. encodeText in QDom in Qt before 6.8.0 has a complex algorithm involving XML string copy and inline replacement of parts of a string (with relocation of later data).CVE-2025-30348
  3. An issue was discovered in HTTP2 in Qt before 5.15.18, 6.x before 6.2.13, 6.3.x through 6.5.x before 6.5.7, and 6.6.x through 6.7.x before 6.7.3. Code to make security-relevant decisions about an established connection may execute too early, because the encrypted() signal has not yet been emitted and processed..CVE-2024-39936
  4. QAbstractOAuth in Qt Network Authorization in Qt before 5.15.17, 6.x before 6.2.13, 6.3.x through 6.5.x before 6.5.6, and 6.6.x through 6.7.x before 6.7.1 uses only the time to seed the PRNG, which may result in guessable values.CVE-2024-36048
  5. In Qt 6.5.4, 6.5.5, and 6.6.2, QNetworkReply header data might be accessed via a dangling pointer in Qt for WebAssembly (wasm). (Earlier and later versions are unaffected.)CVE-2024-30161

References

Sources include official advisories and independent security research.