PatchSiren

PatchSiren cyber security CVE debrief

CVE-2025-14576 Qt CVE debrief

CVE-2025-14576 is a high-severity vulnerability in the Qt SVG module. Insufficient validation of node IDs allows arbitrary QML/JavaScript code injection when loading malicious SVG files through the VectorImage component in Qt Quick. This could lead to denial of service, information disclosure, or other impacts depending on the application's privilege level and data access. The vulnerability has a CVSS score of 7.4 and is considered HIGH severity. It affects Qtdeclarative product versions 6.8.0 to 6.8.6 and 6.10.0 to 6.10.1.

Vendor
Qt
Product
Qtdeclarative
CVSS
HIGH 7.4
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-30
Original CVE updated
2026-06-30
Advisory published
2026-04-30
Advisory updated
2026-06-30

Who should care

Developers and administrators using Qtdeclarative versions 6.8.0 to 6.8.6 or 6.10.0 to 6.10.1 should be aware of this vulnerability. Applications using the VectorImage component in Qt Quick are potentially impacted. Users of Red Hat products referenced in the errata notices should also take action.

Technical summary

The Qt SVG module does not properly validate node IDs in SVG files. When a malicious SVG file is loaded through the VectorImage component in Qt Quick, it can inject arbitrary QML/JavaScript code. This code execution occurs in the context of the Qt Quick application, which may have restricted privileges compared to native code execution. However, the impact can still be significant, including denial of service, information disclosure, or other security issues. The vulnerability is classified under CWE-94: Improper Control of Generation of Code ('Code Injection').

Defensive priority

Apply patches or updates from Qt as soon as possible. Review and update affected applications to ensure they handle SVG files securely.

Recommended defensive actions

  • Apply the official patches from Qt to update the Qtdeclarative module.
  • Restrict the use of VectorImage component with untrusted SVG files.
  • Implement additional input validation and sanitization for SVG files.
  • Monitor applications for suspicious behavior after updating.
  • Consider using alternative image formats where possible.

Evidence notes

The CVE record and NVD details provide information on the vulnerability. Red Hat has published several errata notices (RHSA-2026:20567, RHSA-2026:24987, RHSA-2026:7620, RHSA-2026:7846) related to this issue. A patch is available in the Qt code review system.

Official resources

This article is AI-assisted and based on the supplied source corpus.