When loading a specifically crafted ICNS format image file then it will trigger a crash.
This has been assigned the CVE id CVE-2025-5683.
Affected versions: All versions of Qt from versions 6.3.0 through 6.5.9, from 6.6.0 through 6.8.4, 6.9.0. This is fixed in 6.5.10, 6.8.5 and 6.9.1.
Impact: If QImage is passed a specifically crafted ICNS format image file, then it will trigger a crash. This can happen directly via one of the load functions, or via another class which is using QImage for rendering elsewhere, such as QTextDocument.
Vulnerability Score: CVSS v4.0: 5.1
Solution:
Apply the following patch for your version or update to 6.5.10, 6.8.5 or 6.9.1.
6.9: https://download.qt.io/official_releases/qt/6.9/CVE-2025-5683-qtimageformats-6.9.patch or https://codereview.qt-project.org/c/qt/qtimageformats/+/646840
6.8: https://download.qt.io/official_releases/qt/6.8/CVE-2025-5683-qtimageformats-6.8.patch or https://codereview.qt-project.org/c/qt/tqtc-qtimageformats/+/646932
6.5: https://download.qt.io/official_releases/qt/6.5/CVE-2025-5683-qtimageformats-6.5.patch or https://codereview.qt-project.org/c/qt/tqtc-qtimageformats/+/646997
