CVE-2025-10729

Published Oct 3, 2025

Last updated 2 months ago

CVSS critical 9.4

C++

Overview

Description: The module will parse a <pattern> node which is not a child of a structural node. The node will be deleted after creation but might be accessed later leading to a use after free.
Source: a59d8014-47c4-4630-ab43-e1b13cbe58e3
NVD status: Deferred

Risk scores

CVSS 4.0

Type: Secondary
Base score: 9.4
Impact score: -
Exploitability score: -
Vector string: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:X/R:X/V:X/RE:H/U:Red
Severity: CRITICAL

Weaknesses

a59d8014-47c4-4630-ab43-e1b13cbe58e3: CWE-416

Hype score: Not currently trending

#VulnerabilityReport #CriticalVulnerability Qt Fixes Dual Critical Vulnerabilities (CVE-2025-10728 & CVE-2025-10729) in SVG Module https://t.co/QzNPxhV0YX
@Komodosec
13 Nov 2025
9 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 SECURITY ALERT for #Fedora 42 users! A critical use-after-free vulnerability (CVE-2025-10729) in Qt SVG has been patched. This impacts apps like Zeal docs browser. Read more:👉 https://t.co/UxKpzjD7BS #Security https://t.co/YtpIRrp5Xf
@Cezar_H_Linux
30 Oct 2025
34 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 SECURITY PATCH: #Fedora 42 CVE-2025-10729: A critical use-after-free vulnerability in Qt SVG has been fixed. Read more: 👉 https://t.co/VSz0hSTUlb #Security https://t.co/ov5NNYIHXz
@Cezar_H_Linux
30 Oct 2025
60 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 Urgent #Fedora 42 Update 🚨 A critical use-after-free vulnerability (CVE-2025-10729) in qt6-qtsvg could allow remote code execution. Fedora has released Qt 6.9.3 to patch this flaw. Read more: 👉 https://t.co/wxPDuwP6tW #Security https://t.co/3MD5G3SfSD
@Cezar_H_Linux
30 Oct 2025
33 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
⚠️ CRITICAL alert: CVE-2025-10729 is a use-after-free vuln in Qt (6.7.0 & 6.9.0). Local attackers can execute code or crash apps. Audit & restrict access now! 🛡️ https://t.co/1skEY6jFaN #OffSeq #Qt #CyberSecurity https://t.co/Wswq7psZ8U
@offseq
4 Oct 2025
53 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-10729 The module will parse a <pattern> node which is not a child of a structural node. The node will be deleted after creation but might be accessed later leading to a use… https://t.co/IX1ueR9006
@CVEnew
3 Oct 2025
190 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
[CVE-2025-10729: CRITICAL] The module will parse a <pattern> node which is not a child of a structural node. The node will be deleted after creation but might be accessed later leading to a use after free.#cve,CVE-2025-10729,#cybersecurity https://t.co/CTKeQIKO5k https://t.
@CveFindCom
3 Oct 2025
46 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes

Calling the scanf family of functions with a %mc (malloc'd character match) in the GNU C Library version 2.7 to version 2.43 with a format width specifier with an explicit width greater than 1024 could result in a one byte heap buffer overflow.•CVE-2026-5450
Calling the ungetwc function on a FILE stream with wide characters encoded in a character set that has overlaps between its single byte and multi-byte character encodings, in the GNU C Library version 2.43 or earlier, may result in an attempt to read bytes before an allocated buffer, potentially resulting in unintentional disclosure of neighboring data in the heap, or a program crash. A bug in the wide character pushback implementation (_IO_wdefault_pbackfail in libio/wgenops.c) causes ungetwc() to operate on the regular character buffer (fp->_IO_read_ptr) instead of the actual wide-stream read pointer (fp->_wide_data->_IO_read_ptr). The program crash may happen in cases where fp->_IO_read_ptr is not initialized and hence points to NULL. The buffer under-read requires a special situation where the input character encoding is such that there are overlaps between single byte representations and multibyte representations in that encoding, resulting in spurious matches. The spurious match case is not possible in the standard Unicode character sets.•CVE-2026-5928
llama.cpp is an inference of several LLM models in C/C++. Prior to version b8492, the RPC backend's deserialize_tensor() skips all bounds validation when a tensor's buffer field is 0. An unauthenticated attacker can read and write arbitrary process memory via crafted GRAPH_COMPUTE messages. Combined with pointer leaks from ALLOC_BUFFER/BUFFER_GET_BASE, this gives full ASLR bypass and remote code execution. No authentication required, just TCP access to the RPC server port. This issue has been patched in version b8492.•CVE-2026-34159
SciTokens C++ is a minimal library for creating and using SciTokens from C or C++. Prior to version 1.4.1, scitokens-cpp is vulnerable to an authorization bypass when processing path-based scopes in tokens. The library normalizes the scope path from the token before authorization and collapses ".." path components instead of rejecting them. As a result, an attacker can use parent-directory traversal in the scope claim to broaden the effective authorization beyond the intended directory. This issue has been patched in version 1.4.1.•CVE-2026-32725
Botan is a C++ cryptography library. From version 2.3.0 to before version 3.11.0, during SM2 decryption, the code that checked the authentication code value (C3) failed to check that the encoded value was of the expected length prior to comparison. An invalid ciphertext can cause a heap over-read of up to 31 bytes, resulting in a crash or potentially other undefined behavior. This issue has been patched in version 3.11.0.•CVE-2026-32877

References

Sources include official advisories and independent security research.

https://nvd.nist.gov/vuln/detail/CVE-2025-10729
https://codereview.qt-project.org/c/qt/qtsvg/+/676473

Overview

Risk scores

CVSS 4.0

Weaknesses

Social media

Related CVEs

References