Use After Free Vulnerability in Qt's QHttp2ProtocolHandler
CVE-2025-5991

2.1LOW

Key Information:

Vendor: The Qt Company
Status: Qt
Vendor: CVE Published:; 11 June 2025

🔔 Create The Qt Company Vulnerability Alert

What is CVE-2025-5991?

A Use After Free vulnerability exists in the QHttp2ProtocolHandler of the QtNetwork module, specifically related to its handling of HTTP/2 requests. This issue arises due to a race condition between the uploading of the body of a POST request and the management of HTTP error responses, leading to potential security risks. The vulnerability has been addressed in Qt version 6.9.1, making it crucial for users to update from the affected version 6.9.0.

Affected Version(s)

Qt 6.9.0

Qt 0 < 6.9.0

Qt 6.9.1

References

https://codereview.qt-project.org/c/qt/qtbase/+/643777

CVSS V4

Score:

2.1

Severity:

LOW

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Local

Attack Complexity:

High

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 11, 2025
Vulnerability Reserved
Jun 11, 2025