Type Confusion and Heap-based Buffer Overflow vulnerability in the SVG marker and mask handling of the Qt SVG module has been discovered and has been assigned the CVE id CVE-2026-6210.
Affected versions: from Qt 6.7.0 before 6.8.8, from 6.9.0 before 6.11.1.
Impact: Loading and rendering an svg image can lead to pointers (QSvgNode *) being cast down to pointers to the wrong derived classes (QSvgMarker *, QSvgMask *) which can lead to executing a code path which does not expect endless recursion and therefore does not guard against it. The result is an application crash (denial of service).
CVSS 4.0 Score: 8.7 (HIGH)
Vector String:CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Mitigation: Ensure that all SVG content rendered by Qt SVG is only from trusted sources. Applications should validate and sanitize SVG content before loading, or implement additional security controls to restrict the sources of SVG files that can be loaded by users.
Solution: Apply the following patch or update to Qt 6.8.8 or Qt 6.11.1 or later.
Patches:
dev: https://codereview.qt-project.org/c/qt/qtsvg/+/724887
Qt 6.11: https://codereview.qt-project.org/c/qt/qtsvg/+/727507 or https://download.qt.io/official_releases/qt/6.11/CVE-2026-6210-qtsvg-6.11.diff
Qt 6.10: https://codereview.qt-project.org/c/qt/qtsvg/+/732200 or https://download.qt.io/official_releases/qt/6.10/CVE-2026-6210-qtsvg-6.10.diff
Qt 6.8: https://codereview.qt-project.org/c/qt/tqtc-qtsvg/+/727630 or https://download.qt.io/official_releases/qt/6.8/CVE-2026-6210-qtsvg-6.8.diff
