PatchSiren

PatchSiren cyber security CVE debrief

CVE-2025-14575 The Qt Company CVE debrief

CVE-2025-14575 is a low-severity local trust-path issue in the OpenSSL TLS backend of Qt Network (qtbase) on Unix. According to the CVE description, a local attacker may place a crafted certificate file in an application's working directory and cause a rogue CA certificate to be loaded as a trusted system authority. NVD currently lists the record as Awaiting Analysis and maps the weakness to CWE-427 (Uncontrolled Search Path Element).

Vendor
The Qt Company
Product
Qt
CVSS
LOW 1.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-19
Original CVE updated
2026-05-19
Advisory published
2026-05-19
Advisory updated
2026-05-19

Who should care

Teams shipping Qt-based Unix applications that use the Qt Network OpenSSL backend, especially software that loads certificates or CA material from application-relative paths or runs in directories writable by untrusted users.

Technical summary

The reported issue is an uncontrolled search path element in the Qt Network OpenSSL TLS backend. The risk described in the CVE is that the application may resolve a certificate file from its working directory and treat attacker-controlled content as a trusted CA. The source record identifies a local attack vector, high attack complexity, no user interaction, and low confidentiality/integrity impact in the supplied CVSS 4.0 vector. The only supplied external reference is a Qt code review link, which suggests the issue was addressed in qtbase, but the provided corpus does not include patch details.

Defensive priority

Low, but worth addressing for applications that operate in writable or semi-trusted working directories, or that rely on implicit certificate discovery rather than explicit absolute paths.

Recommended defensive actions

  • Review Qt-based applications for any certificate or CA-loading logic that depends on the current working directory or other relative paths.
  • Prefer explicit, absolute certificate and trust-store paths over search-path-based resolution.
  • Ensure application startup directories are not writable by untrusted local users when trust decisions are made from local files.
  • Validate that any bundled or application-provided CA material cannot be shadowed by files in the working directory.
  • Track the Qt upstream reference associated with the issue and apply the relevant qtbase fix or vendor backport when available.

Evidence notes

All factual claims are limited to the supplied CVE description, NVD metadata, and the single Qt code review reference. The CVE was published on 2026-05-19T14:16:27.120Z and modified at 2026-05-19T14:46:56.260Z. NVD lists vulnStatus as Awaiting Analysis, weakness CWE-427, and a CVSS 4.0 vector with local access and low impact. The vendor attribution in the supplied record is uncertain; the evidence points to the Qt Project, but no stronger vendor confirmation is present in the corpus.

Official resources

Publicly disclosed in the CVE record on 2026-05-19; the supplied NVD entry still shows Awaiting Analysis. No exploit proof, remediation notes, or patch specifics were included in the source corpus beyond the Qt code review reference.