PatchSiren cyber security CVE debrief

CVE-2016-10040 Qt CVE debrief

CVE-2016-10040 is a stack-based buffer overflow in Qt's QXmlSimpleReader affecting Qt 4.8.5. According to the NVD record, an XML file with multiple nested open tags can trigger an application crash, resulting in denial of service. The NVD CVSS vector rates the issue as medium severity and shows availability impact only.

Vendor: Qt
Product: CVE-2016-10040
CVSS: MEDIUM 5.5
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-03-07
Original CVE updated: 2026-05-13
Advisory published: 2017-03-07
Advisory updated: 2026-05-13

Who should care

Teams that ship or embed Qt 4.8.5, especially applications that parse untrusted XML. This includes desktop software, device firmware, and any service that accepts or processes XML content through QXmlSimpleReader.

Technical summary

The vulnerability is classified as CWE-119 and affects cpe:2.3:a:qt:qxmlsimplereader:4.8.5. The supplied NVD description states that multiple nested open tags in an XML file can cause a stack-based buffer overflow in QXmlSimpleReader, leading to an application crash. The CVSS 3.0 vector provided by NVD is AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H, which indicates user interaction is required and the primary impact is loss of availability.

Defensive priority

Medium. The issue is limited to denial of service, but it can still be important for applications that parse attacker-controlled XML or that treat parser stability as critical. Prioritize higher if the affected component is widely deployed or externally reachable through user-supplied files.

Recommended defensive actions

Inventory products and builds that include Qt 4.8.5 or QXmlSimpleReader.
Apply the vendor-fixed Qt update or an approved backport if your product still uses the affected parser.
Treat untrusted XML as high risk and reject or isolate malformed input before parsing.
Add crash monitoring and regression tests around XML parsing paths that process nested tags.
If immediate patching is not possible, reduce exposure by limiting where untrusted XML files can be opened or imported.

Evidence notes

The debrief is based on the supplied official NVD record and CVE metadata. Key evidence includes the NVD description of a stack-based buffer overflow in QXmlSimpleReader, the affected CPE entry for qt:qxmlsimplereader:4.8.5, the CWE-119 classification, and the CVSS 3.0 vector AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H. Timeline context uses the supplied CVE publishedAt value of 2017-03-07T15:59:00.237Z and modifiedAt value of 2026-05-13T00:24:29.033Z. The supplied references also show earlier disclosure-related material on 2016-12-24 and 2017-01-14, but those are not treated as the CVE issue date.

Official resources

CVE-2016-10040 CVE record
CVE.org
CVE-2016-10040 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Mailing List, Third Party Advisory
Mitigation or vendor reference
[email protected] - Mailing List, Third Party Advisory
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
Mitigation or vendor reference
[email protected] - Exploit, Issue Tracking, Patch, Third Party Advisory, VDB Entry

Publicly disclosed in the supplied CVE record on 2017-03-07, with earlier disclosure-related references listed from 2016-12-24 and 2017-01-14. The CVE was later modified in the official NVD record on 2026-05-13.