Bug 2369722 (CVE-2025-5455) - CVE-2025-5455 qt5: qt6: QtCore Assertion Failure Denial of Service
Summary: CVE-2025-5455 qt5: qt6: QtCore Assertion Failure Denial of Service
Keywords:
Status: NEW
Alias: CVE-2025-5455
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2369868 2369869 2369870 2369871 2369872
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-06-02 09:01 UTC by OSIDB Bzimport
Modified: 2025-06-24 09:37 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2025:9462 0 None None None 2025-06-24 09:37:57 UTC
Red Hat Product Errata RHSA-2025:9486 0 None None None 2025-06-24 08:42:11 UTC

Description OSIDB Bzimport 2025-06-02 09:01:07 UTC 
An issue was found in the private API function qDecodeDataUrl() in QtCore, which is used in QTextDocument and QNetworkReply, and, potentially, in user code.

If the function was called with malformed data, for example, an URL that
contained a "charset" parameter that lacked a value (such as
"data:charset,"), and Qt was built with assertions enabled, then it would hit an assertion, resulting in a denial of service
(abort).

This impacts Qt up to 5.15.18, 6.0.0->6.5.8, 6.6.0->6.8.3 and 6.9.0. This has been fixed in 5.15.19, 6.5.9, 6.8.4 and 6.9.1.
Comment 3 errata-xmlrpc 2025-06-24 08:42:10 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2025:9486 https://access.redhat.com/errata/RHSA-2025:9486
Comment 4 errata-xmlrpc 2025-06-24 09:37:56 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:9462 https://access.redhat.com/errata/RHSA-2025:9462
Note You need to log in before you can comment on or make changes to this bug.