Ddos 
The Qt Group has released a critical security advisory addressing two severe vulnerabilities in the Qt SVG module — tracked as CVE-2025-10728 and CVE-2025-10729 — that could lead to denial of service (DoS) and use-after-free memory corruption, respectively. Both flaws carry a CVSS 4.0 base score of 9.4, indicating critical severity.
The first issue, CVE-2025-10728, affects Qt 6.7.0 through 6.8.4, and 6.9.0 through 6.9.2. The flaw occurs when rendering maliciously crafted SVG files that contain recursive <pattern> elements.
Qt explains that “when the module renders a SVG file that contains a <pattern> element, it might end up rendering it recursively leading to stack overflow DoS.”
In essence, attackers could weaponize the recursive rendering logic to cause infinite recursion, consuming system resources until the application or host system crashes — effectively triggering a stack overflow denial-of-service condition.
While this vulnerability cannot be directly exploited for code execution, its potential to destabilize software relying on Qt-based graphical rendering makes it a serious reliability and availability threat, especially for embedded devices and user interface frameworks processing untrusted SVG assets.
The second flaw, CVE-2025-10729, also impacts the same versions (Qt 6.7.0 to 6.8.4 and 6.9.0 to 6.9.2), but its nature is far more dangerous. The vulnerability arises when the module parses a <pattern> node that is not a child of a structural node in an SVG file.
The advisory warns that “when the module parses a <pattern> node which is not a child of a structural node, the node gets deleted after creation but might be accessed later leading to a use after free.”
This use-after-free bug can lead to undefined behavior, including potential remote code execution (RCE) depending on how memory is reallocated. In environments where SVG rendering is exposed to untrusted input — such as in web engines, UI design tools, or document viewers — this could allow attackers to execute arbitrary code under the privileges of the affected application.
Both vulnerabilities share a CVSS 4.0 base score of 9.4, reflecting their potential to cause complete denial of service or memory corruption when rendering malicious SVG files. The Qt SVG module is used widely across software ecosystems — from desktop environments (KDE Plasma) to embedded user interfaces in automotive, medical, and IoT systems — significantly broadening the potential attack surface.
Although no exploitation has been reported at the time of publication, these flaws underscore the persistent risk of supply chain vulnerabilities in graphical parsing libraries. Because SVGs are commonly used in user-facing applications, even a simple image upload could act as an attack vector.
Qt strongly advises developers and vendors integrating Qt SVG to take immediate steps:
- Upgrade to Qt 6.9.3 or 6.8.5 as soon as possible.
- Do not render untrusted SVG content until systems are fully patched.
- Review third-party dependencies and confirm whether they include the vulnerable module.
Donate