rpm package
almalinux/qt5-qtbase-static
pkg:rpm/almalinux/qt5-qtbase-static
Vulnerabilities (17)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-5455 | Hig | — | < 5.15.9-11.el9_6 | 5.15.9-11.el9_6 | Jun 2, 2025 | An issue was found in the private API function qDecodeDataUrl() in QtCore, which is used in QTextDocument and QNetworkReply, and, potentially, in user code. If the function was called with malformed data, for example, an URL that contained a "charset" parameter that lacked a val | |
| CVE-2024-39936 | — | < 5.15.3-8.el8_10 | 5.15.3-8.el8_10 | Jul 4, 2024 | An issue was discovered in HTTP2 in Qt before 5.15.18, 6.x before 6.2.13, 6.3.x through 6.5.x before 6.5.7, and 6.6.x through 6.7.x before 6.7.3. Code to make security-relevant decisions about an established connection may execute too early, because the encrypted() signal has not | ||
| CVE-2024-25580 | — | < 5.15.9-9.el9 | 5.15.9-9.el9 | Mar 27, 2024 | An issue was discovered in gui/util/qktxhandler.cpp in Qt before 5.15.17, 6.x before 6.2.12, 6.3.x through 6.5.x before 6.5.5, and 6.6.x before 6.6.2. A buffer overflow and application crash can occur via a crafted KTX image file. | ||
| CVE-2023-51714 | — | < 5.15.9-9.el9 | 5.15.9-9.el9 | Dec 24, 2023 | An issue was discovered in the HTTP2 implementation in Qt before 5.15.17, 6.x before 6.2.11, 6.3.x through 6.5.x before 6.5.4, and 6.6.x before 6.6.2. network/access/http2/hpacktable.cpp has an incorrect HPack integer overflow check. | ||
| CVE-2023-37369 | — | < 5.15.9-7.el9 | 5.15.9-7.el9 | Aug 20, 2023 | In Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2, there can be an application crash in QXmlStreamReader via a crafted XML string that triggers a situation in which a prefix is greater than a length. | ||
| CVE-2023-38197 | — | < 5.15.9-7.el9 | 5.15.9-7.el9 | Jul 13, 2023 | An issue was discovered in Qt before 5.15.15, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3. There are infinite loops in recursive entity expansion. | ||
| CVE-2023-34410 | — | < 5.15.9-7.el9 | 5.15.9-7.el9 | Jun 5, 2023 | An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2. Certificate validation for TLS does not always consider whether the root of a chain is a configured CA certificate. | ||
| CVE-2023-33285 | — | < 5.15.9-7.el9 | 5.15.9-7.el9 | May 22, 2023 | An issue was discovered in Qt 5.x before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. QDnsLookup has a buffer over-read via a crafted reply from a DNS server. | ||
| CVE-2023-32573 | — | < 5.15.9-7.el9 | 5.15.9-7.el9 | May 10, 2023 | In Qt before 5.15.14, 6.0.x through 6.2.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1, QtSvg QSvgFont m_unitsPerEm initialization is mishandled. | ||
| CVE-2021-3481 | — | < 5.15.2-3.el8 | 5.15.2-3.el8 | Aug 22, 2022 | A flaw was found in Qt. An out-of-bounds read vulnerability was found in QRadialFetchSimd in qt/qtbase/src/gui/painting/qdrawhelper_p.h in Qt/Qtbase. While rendering and displaying a crafted Scalable Vector Graphics (SVG) file this flaw may lead to an unauthorized memory access. | ||
| CVE-2021-38593 | — | < 5.15.2-4.el8 | 5.15.2-4.el8 | Aug 12, 2021 | Qt 5.x before 5.15.6 and 6.x through 6.1.2 has an out-of-bounds write in QOutlineMapper::convertPath (called from QRasterPaintEngine::fill and QPaintEngineEx::stroke). | ||
| CVE-2020-0569 | — | < 5.12.5-6.el8 | 5.12.5-6.el8 | Nov 23, 2020 | Out of bounds write in Intel(R) PROSet/Wireless WiFi products on Windows 10 may allow an authenticated user to potentially enable denial of service via local access. | ||
| CVE-2020-0570 | — | < 5.12.5-6.el8 | 5.12.5-6.el8 | Sep 14, 2020 | Uncontrolled search path in the QT Library before 5.14.0, 5.12.7 and 5.9.10 may allow an authenticated user to potentially enable elevation of privilege via local access. | ||
| CVE-2020-17507 | — | < 5.12.5-8.el8 | 5.12.5-8.el8 | Aug 12, 2020 | An issue was discovered in Qt through 5.12.9, and 5.13.x through 5.15.x before 5.15.1. read_xbm_body in gui/image/qxbmhandler.cpp has a buffer over-read. | ||
| CVE-2020-13962 | — | < 5.12.5-6.el8 | 5.12.5-6.el8 | Jun 8, 2020 | Qt 5.12.2 through 5.14.2, as used in unofficial builds of Mumble 1.3.0 and other products, mishandles OpenSSL's error queue, which can cause a denial of service to QSslSocket users. Because errors leak in unrelated TLS sessions, an unrelated session may be disconnected when any h | ||
| CVE-2018-21035 | — | < 5.12.5-6.el8 | 5.12.5-6.el8 | Feb 28, 2020 | In Qt through 5.14.1, the WebSocket implementation accepts up to 2GB for frames and 2GB for messages. Smaller limits cannot be configured. This makes it easier for attackers to cause a denial of service (memory consumption). | ||
| CVE-2015-9541 | — | < 5.12.5-6.el8 | 5.12.5-6.el8 | Jan 24, 2020 | Qt through 5.14 allows an exponential XML entity expansion attack via a crafted SVG document that is mishandled in QXmlStreamReader, a related issue to CVE-2003-1564. |
- affected < 5.15.9-11.el9_6fixed 5.15.9-11.el9_6
An issue was found in the private API function qDecodeDataUrl() in QtCore, which is used in QTextDocument and QNetworkReply, and, potentially, in user code. If the function was called with malformed data, for example, an URL that contained a "charset" parameter that lacked a val
- CVE-2024-39936Jul 4, 2024affected < 5.15.3-8.el8_10fixed 5.15.3-8.el8_10
An issue was discovered in HTTP2 in Qt before 5.15.18, 6.x before 6.2.13, 6.3.x through 6.5.x before 6.5.7, and 6.6.x through 6.7.x before 6.7.3. Code to make security-relevant decisions about an established connection may execute too early, because the encrypted() signal has not
- CVE-2024-25580Mar 27, 2024affected < 5.15.9-9.el9fixed 5.15.9-9.el9
An issue was discovered in gui/util/qktxhandler.cpp in Qt before 5.15.17, 6.x before 6.2.12, 6.3.x through 6.5.x before 6.5.5, and 6.6.x before 6.6.2. A buffer overflow and application crash can occur via a crafted KTX image file.
- CVE-2023-51714Dec 24, 2023affected < 5.15.9-9.el9fixed 5.15.9-9.el9
An issue was discovered in the HTTP2 implementation in Qt before 5.15.17, 6.x before 6.2.11, 6.3.x through 6.5.x before 6.5.4, and 6.6.x before 6.6.2. network/access/http2/hpacktable.cpp has an incorrect HPack integer overflow check.
- CVE-2023-37369Aug 20, 2023affected < 5.15.9-7.el9fixed 5.15.9-7.el9
In Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2, there can be an application crash in QXmlStreamReader via a crafted XML string that triggers a situation in which a prefix is greater than a length.
- CVE-2023-38197Jul 13, 2023affected < 5.15.9-7.el9fixed 5.15.9-7.el9
An issue was discovered in Qt before 5.15.15, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3. There are infinite loops in recursive entity expansion.
- CVE-2023-34410Jun 5, 2023affected < 5.15.9-7.el9fixed 5.15.9-7.el9
An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2. Certificate validation for TLS does not always consider whether the root of a chain is a configured CA certificate.
- CVE-2023-33285May 22, 2023affected < 5.15.9-7.el9fixed 5.15.9-7.el9
An issue was discovered in Qt 5.x before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. QDnsLookup has a buffer over-read via a crafted reply from a DNS server.
- CVE-2023-32573May 10, 2023affected < 5.15.9-7.el9fixed 5.15.9-7.el9
In Qt before 5.15.14, 6.0.x through 6.2.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1, QtSvg QSvgFont m_unitsPerEm initialization is mishandled.
- CVE-2021-3481Aug 22, 2022affected < 5.15.2-3.el8fixed 5.15.2-3.el8
A flaw was found in Qt. An out-of-bounds read vulnerability was found in QRadialFetchSimd in qt/qtbase/src/gui/painting/qdrawhelper_p.h in Qt/Qtbase. While rendering and displaying a crafted Scalable Vector Graphics (SVG) file this flaw may lead to an unauthorized memory access.
- CVE-2021-38593Aug 12, 2021affected < 5.15.2-4.el8fixed 5.15.2-4.el8
Qt 5.x before 5.15.6 and 6.x through 6.1.2 has an out-of-bounds write in QOutlineMapper::convertPath (called from QRasterPaintEngine::fill and QPaintEngineEx::stroke).
- CVE-2020-0569Nov 23, 2020affected < 5.12.5-6.el8fixed 5.12.5-6.el8
Out of bounds write in Intel(R) PROSet/Wireless WiFi products on Windows 10 may allow an authenticated user to potentially enable denial of service via local access.
- CVE-2020-0570Sep 14, 2020affected < 5.12.5-6.el8fixed 5.12.5-6.el8
Uncontrolled search path in the QT Library before 5.14.0, 5.12.7 and 5.9.10 may allow an authenticated user to potentially enable elevation of privilege via local access.
- CVE-2020-17507Aug 12, 2020affected < 5.12.5-8.el8fixed 5.12.5-8.el8
An issue was discovered in Qt through 5.12.9, and 5.13.x through 5.15.x before 5.15.1. read_xbm_body in gui/image/qxbmhandler.cpp has a buffer over-read.
- CVE-2020-13962Jun 8, 2020affected < 5.12.5-6.el8fixed 5.12.5-6.el8
Qt 5.12.2 through 5.14.2, as used in unofficial builds of Mumble 1.3.0 and other products, mishandles OpenSSL's error queue, which can cause a denial of service to QSslSocket users. Because errors leak in unrelated TLS sessions, an unrelated session may be disconnected when any h
- CVE-2018-21035Feb 28, 2020affected < 5.12.5-6.el8fixed 5.12.5-6.el8
In Qt through 5.14.1, the WebSocket implementation accepts up to 2GB for frames and 2GB for messages. Smaller limits cannot be configured. This makes it easier for attackers to cause a denial of service (memory consumption).
- CVE-2015-9541Jan 24, 2020affected < 5.12.5-6.el8fixed 5.12.5-6.el8
Qt through 5.14 allows an exponential XML entity expansion attack via a crafted SVG document that is mishandled in QXmlStreamReader, a related issue to CVE-2003-1564.