Skip to main content

Security advisory: Recently discovered Use After Free issue in QHttp2ProtocolHandler impacts Qt

Jun 13, 2025

by Andy Shaw
Comments

There is a "Use After Free" vulnerability in Qt's QHttp2ProtocolHandler in the QtNetwork module. 

This has been assigned the CVE id CVE-2025-5991.

 

 

Affected versions: Qt version 6.9.0. This is fixed in 6.9.1.

Impact: This only affects HTTP/2 handling, HTTP handling is not affected by this at all. This happens due to a race condition between how QHttp2Stream uploads the body of a POST request and the simultaneous handling of HTTP error responses.

Vulnerability Score: CVSS v4.0: 2.1


Solution: 

Apply the following patch for Qt 6.9.0 or update to 6.9.1.

 

6.9: https://download.qt.io/official_releases/qt/6.9/CVE-2025-5991-qtbase-6.9.patch or https://codereview.qt-project.org/c/qt/qtbase/+/646572

Blog Topics

Comments

Subscribe to our blog

Try Qt 6.10 Now!

Download the latest release here: www.qt.io/download

Qt 6.10 is now available, with new features and improvements for application developers and device creators.

We're Hiring

Check out all our open positions here and follow us on Instagram to see what it's like to be #QtPeople.

Related Articles

Security advisory: Recently reported dr_wav issue impacts Qt

Security advisory: Recently reported dr_wav issue impacts Qt

A recently reported issue regarding the loading of specifically crafted..

Read Article
Qt Quick Certification Tests Published

Qt Quick Certification Tests Published

In 2025, we launched the Qt Certification Testing Platform with the Qt..

Read Article
Congratulations Qt Champions 2025!

Congratulations Qt Champions 2025!

Through the Qt Project, both The Qt Group and a global community of..

Read Article