8.7
/ 10
HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Description
A type confusion vulnerability in Qt SVG allows an attacker to cause an application crash via a crafted SVG image.
When processing SVG marker references, the renderer retrieves a node by its id attribute and casts it to QSvgMarker* without verifying the node type. A non-marker element (such as a <line> element) that references itself as a marker triggers an out-of-bounds heap read due to the object size difference between QSvgLine and QSvgMarker,
followed by an endless recursion that bypasses the marker recursion
guard through incorrect virtual dispatch. The result is an application
crash (denial of service).
This issue affects Qt SVG:
from 6.7.0 before 6.8.8, from 6.9.0 before 6.11.1.
When processing SVG marker references, the renderer retrieves a node by its id attribute and casts it to QSvgMarker* without verifying the node type. A non-marker element (such as a <line> element) that references itself as a marker triggers an out-of-bounds heap read due to the object size difference between QSvgLine and QSvgMarker,
followed by an endless recursion that bypasses the marker recursion
guard through incorrect virtual dispatch. The result is an application
crash (denial of service).
This issue affects Qt SVG:
from 6.7.0 before 6.8.8, from 6.9.0 before 6.11.1.
AI Analysis
Type confusion vulnerability in Qt SVG allowing an attacker to cause an application crash via a crafted SVG image
Basic Information
ID
CVE-2026-6210
Source
TQtC
Published
May 6, 2026 at 11:59
Modified
May 6, 2026 at 13:11
Affected Product
Vendor
The Qt Company
Product
Qt
Version
6.7.0
Affected Versions
The Qt Company Qt 6.7.0
The Qt Company Qt 6.9.0
The Qt Company Qt 6.9.0
CWE Classification
AI Assessment
AI Score
8.7 / 10
AI Severity
High
Vendor
The Qt Company
Product
Qt SVG
Version
6.7.0, 6.9.0