CVE-2026-6210 (GCVE-0-2026-6210)
Vulnerability from cvelistv5 – Published: 2026-05-06 11:59 – Updated: 2026-05-06 13:11
VLAI?
Title
Type confusion and heap-buffer-overflow in Qt SVG marker handling causing application crash
Summary
A type confusion vulnerability in Qt SVG allows an attacker to cause an application crash via a crafted SVG image.
When processing SVG marker references, the renderer retrieves a node by its id attribute and casts it to QSvgMarker* without verifying the node type. A non-marker element (such as a <line> element) that references itself as a marker triggers an out-of-bounds heap read due to the object size difference between QSvgLine and QSvgMarker,
followed by an endless recursion that bypasses the marker recursion
guard through incorrect virtual dispatch. The result is an application
crash (denial of service).
This issue affects Qt SVG:
from 6.7.0 before 6.8.8, from 6.9.0 before 6.11.1.
Severity ?
CWE
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| The Qt Company | Qt |
Affected:
6.7.0 , < 6.8.8
(python)
Affected: 6.9.0 , < 6.11.1 (python) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6210",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-06T13:11:30.336334Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-06T13:11:44.674Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"Qt SVG"
],
"product": "Qt",
"programFiles": [
"src/svg/qsvgstructure.cpp"
],
"repo": "git://code.qt.io/qt/qtsvg.git",
"vendor": "The Qt Company",
"versions": [
{
"lessThan": "6.8.8",
"status": "affected",
"version": "6.7.0",
"versionType": "python"
},
{
"lessThan": "6.11.1",
"status": "affected",
"version": "6.9.0",
"versionType": "python"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA type confusion vulnerability in Qt SVG allows an attacker to cause an application crash via a crafted SVG image.\u003c/p\u003e\u003cp\u003eWhen processing SVG marker references, the renderer retrieves a node by its \u003ccode\u003eid\u003c/code\u003e attribute and casts it to \u003ccode\u003eQSvgMarker*\u003c/code\u003e without verifying the node type. A non-marker element (such as a \u003ccode\u003e\u0026lt;line\u0026gt;\u003c/code\u003e element) that references itself as a marker triggers an out-of-bounds heap read due to the object size difference between \u003ccode\u003eQSvgLine\u003c/code\u003e and \u003ccode\u003eQSvgMarker\u003c/code\u003e,\n followed by an endless recursion that bypasses the marker recursion \nguard through incorrect virtual dispatch. The result is an application \ncrash (denial of service).\u003c/p\u003e\u003cp\u003eThis issue affects Qt SVG:\u0026nbsp;\nfrom 6.7.0 before 6.8.8, from 6.9.0 before 6.11.1.\u003c/p\u003e"
}
],
"value": "A type confusion vulnerability in Qt SVG allows an attacker to cause an application crash via a crafted SVG image.\n\n\n\nWhen processing SVG marker references, the renderer retrieves a node by its id attribute and casts it to QSvgMarker* without verifying the node type. A non-marker element (such as a \u003cline\u003e element) that references itself as a marker triggers an out-of-bounds heap read due to the object size difference between QSvgLine and QSvgMarker,\n followed by an endless recursion that bypasses the marker recursion \nguard through incorrect virtual dispatch. The result is an application \ncrash (denial of service).\n\n\n\nThis issue affects Qt SVG:\u00a0\nfrom 6.7.0 before 6.8.8, from 6.9.0 before 6.11.1."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "Application crash (denial of service)"
}
]
},
{
"descriptions": [
{
"lang": "en",
"value": "Heap-based buffer overflow via out-of-bounds field access on miscast pointer"
}
]
},
{
"descriptions": [
{
"lang": "en",
"value": "Endless recursion due to recursion guard bypass on miscast vtable dispatch"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-843",
"description": "CWE-843 Access of Resource Using Incompatible Type (\u0027Type Confusion\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-122",
"description": "CWE-122 Heap-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-06T11:59:01.727Z",
"orgId": "a59d8014-47c4-4630-ab43-e1b13cbe58e3",
"shortName": "TQtC"
},
"references": [
{
"url": "https://codereview.qt-project.org/c/qt/qtsvg/+/724887"
},
{
"url": "https://issues.oss-fuzz.com/issues/496327371"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Apply fix: \u003ca href=\"https://codereview.qt-project.org/c/qt/qtsvg/+/724887\"\u003ehttps://codereview.qt-project.org/c/qt/qtsvg/+/724887\u003c/a\u003e"
}
],
"value": "Apply fix: https://codereview.qt-project.org/c/qt/qtsvg/+/724887"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Type confusion and heap-buffer-overflow in Qt SVG marker handling causing application crash",
"x_generator": {
"engine": "Vulnogram 1.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "a59d8014-47c4-4630-ab43-e1b13cbe58e3",
"assignerShortName": "TQtC",
"cveId": "CVE-2026-6210",
"datePublished": "2026-05-06T11:59:01.727Z",
"dateReserved": "2026-04-13T12:16:27.416Z",
"dateUpdated": "2026-05-06T13:11:44.674Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-6210",
"date": "2026-05-08",
"epss": "0.00042",
"percentile": "0.12712"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-6210\",\"sourceIdentifier\":\"a59d8014-47c4-4630-ab43-e1b13cbe58e3\",\"published\":\"2026-05-06T12:16:49.957\",\"lastModified\":\"2026-05-07T15:10:53.070\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A type confusion vulnerability in Qt SVG allows an attacker to cause an application crash via a crafted SVG image.\\n\\n\\n\\nWhen processing SVG marker references, the renderer retrieves a node by its id attribute and casts it to QSvgMarker* without verifying the node type. A non-marker element (such as a \u003cline\u003e element) that references itself as a marker triggers an out-of-bounds heap read due to the object size difference between QSvgLine and QSvgMarker,\\n followed by an endless recursion that bypasses the marker recursion \\nguard through incorrect virtual dispatch. The result is an application \\ncrash (denial of service).\\n\\n\\n\\nThis issue affects Qt SVG:\u00a0\\nfrom 6.7.0 before 6.8.8, from 6.9.0 before 6.11.1.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"a59d8014-47c4-4630-ab43-e1b13cbe58e3\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":8.7,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"HIGH\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"a59d8014-47c4-4630-ab43-e1b13cbe58e3\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-122\"},{\"lang\":\"en\",\"value\":\"CWE-843\"}]}],\"references\":[{\"url\":\"https://codereview.qt-project.org/c/qt/qtsvg/+/724887\",\"source\":\"a59d8014-47c4-4630-ab43-e1b13cbe58e3\"},{\"url\":\"https://issues.oss-fuzz.com/issues/496327371\",\"source\":\"a59d8014-47c4-4630-ab43-e1b13cbe58e3\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-6210\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-05-06T13:11:30.336334Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-05-06T13:11:37.140Z\"}}], \"cna\": {\"title\": \"Type confusion and heap-buffer-overflow in Qt SVG marker handling causing application crash\", \"source\": {\"discovery\": \"EXTERNAL\"}, \"impacts\": [{\"descriptions\": [{\"lang\": \"en\", \"value\": \"Application crash (denial of service)\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"value\": \"Heap-based buffer overflow via out-of-bounds field access on miscast pointer\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"value\": \"Endless recursion due to recursion guard bypass on miscast vtable dispatch\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"NOT_DEFINED\", \"baseScore\": 8.7, \"Automatable\": \"NOT_DEFINED\", \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N\", \"exploitMaturity\": \"NOT_DEFINED\", \"providerUrgency\": \"NOT_DEFINED\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"NONE\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"repo\": \"git://code.qt.io/qt/qtsvg.git\", \"vendor\": \"The Qt Company\", \"modules\": [\"Qt SVG\"], \"product\": \"Qt\", \"versions\": [{\"status\": \"affected\", \"version\": \"6.7.0\", \"lessThan\": \"6.8.8\", \"versionType\": \"python\"}, {\"status\": \"affected\", \"version\": \"6.9.0\", \"lessThan\": \"6.11.1\", \"versionType\": \"python\"}], \"programFiles\": [\"src/svg/qsvgstructure.cpp\"], \"defaultStatus\": \"unaffected\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"Apply fix: https://codereview.qt-project.org/c/qt/qtsvg/+/724887\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Apply fix: \u003ca href=\\\"https://codereview.qt-project.org/c/qt/qtsvg/+/724887\\\"\u003ehttps://codereview.qt-project.org/c/qt/qtsvg/+/724887\u003c/a\u003e\", \"base64\": false}]}], \"references\": [{\"url\": \"https://codereview.qt-project.org/c/qt/qtsvg/+/724887\"}, {\"url\": \"https://issues.oss-fuzz.com/issues/496327371\"}], \"x_generator\": {\"engine\": \"Vulnogram 1.0.1\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"A type confusion vulnerability in Qt SVG allows an attacker to cause an application crash via a crafted SVG image.\\n\\n\\n\\nWhen processing SVG marker references, the renderer retrieves a node by its id attribute and casts it to QSvgMarker* without verifying the node type. A non-marker element (such as a \u003cline\u003e element) that references itself as a marker triggers an out-of-bounds heap read due to the object size difference between QSvgLine and QSvgMarker,\\n followed by an endless recursion that bypasses the marker recursion \\nguard through incorrect virtual dispatch. The result is an application \\ncrash (denial of service).\\n\\n\\n\\nThis issue affects Qt SVG:\\u00a0\\nfrom 6.7.0 before 6.8.8, from 6.9.0 before 6.11.1.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eA type confusion vulnerability in Qt SVG allows an attacker to cause an application crash via a crafted SVG image.\u003c/p\u003e\u003cp\u003eWhen processing SVG marker references, the renderer retrieves a node by its \u003ccode\u003eid\u003c/code\u003e attribute and casts it to \u003ccode\u003eQSvgMarker*\u003c/code\u003e without verifying the node type. A non-marker element (such as a \u003ccode\u003e\u0026lt;line\u0026gt;\u003c/code\u003e element) that references itself as a marker triggers an out-of-bounds heap read due to the object size difference between \u003ccode\u003eQSvgLine\u003c/code\u003e and \u003ccode\u003eQSvgMarker\u003c/code\u003e,\\n followed by an endless recursion that bypasses the marker recursion \\nguard through incorrect virtual dispatch. The result is an application \\ncrash (denial of service).\u003c/p\u003e\u003cp\u003eThis issue affects Qt SVG:\u0026nbsp;\\nfrom 6.7.0 before 6.8.8, from 6.9.0 before 6.11.1.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-843\", \"description\": \"CWE-843 Access of Resource Using Incompatible Type (\u0027Type Confusion\u0027)\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-122\", \"description\": \"CWE-122 Heap-based Buffer Overflow\"}]}], \"providerMetadata\": {\"orgId\": \"a59d8014-47c4-4630-ab43-e1b13cbe58e3\", \"shortName\": \"TQtC\", \"dateUpdated\": \"2026-05-06T11:59:01.727Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-6210\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-05-06T13:11:44.674Z\", \"dateReserved\": \"2026-04-13T12:16:27.416Z\", \"assignerOrgId\": \"a59d8014-47c4-4630-ab43-e1b13cbe58e3\", \"datePublished\": \"2026-05-06T11:59:01.727Z\", \"assignerShortName\": \"TQtC\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…