Skip to main content

Security advisory: Untrusted Search Path vulnerability in OpenSSL backend certificate loading mechanism of Qt

May 19, 2026

by Tuukka Kettunen
Comments

Untrusted Search Path vulnerability in the OpenSSL backend certificate loading mechanism of Qt has been discovered and has been assigned the CVE id CVE-2025-14575.

Affected versions: Qt 5.0.0 through Qt 6.5.9 and from Qt 6.6.0 to Qt 6.8.3 and from Qt 6.9.0 to 6.9.1, on Unix and Linux platforms (excluding macOS).

Impact: Untrusted Search Path vulnerability in Qt's OpenSSL backend on Unix and Linux allows loading of certificates from the current working directory under specific conditions.

This issue affects applications using Qt's SSL/TLS functionality on Unix-based systems (excluding macOS). Prior to Qt 6.9.2, a combination of canonicalPath returning an empty string for broken symlinks and QSslCertificate::fromPath searching the current directory when given an empty path could result in loading unexpected certificates as trusted system certificates.

The vulnerability requires specific preconditions to be exploitable: either broken symlinks must exist in the system CA certificates folder or a race condition must occur during certificate store updates, combined with the application running from an attacker-controlled directory (such as Downloads or /tmp). Successful exploitation could potentially allow an attacker to perform man-in-the-middle attacks by having malicious certificates loaded as trusted system certificates, potentially leading to information disclosure or integrity violations of encrypted communications.

This vulnerability is considered minor as it requires system misconfiguration and does not affect properly configured systems that support on-demand certificate loading (most modern systems).

CVSS 4.0 Score: 1.8 / Low

Vector String: CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Mitigation:

  1. Ensure your system is properly configured to support on-demand certificate loading (most modern systems support this by default)
  2. Verify that system CA certificate directories do not contain broken symlinks
  3. Avoid running Qt applications from untrusted directories such as Downloads, /tmp, or other world-writable locations
  4. Deploy applications with proper working directory controls

 

Solution: Update to Qt 6.5.10 or 6.8.4 or Qt 6.9.2 or later or apply the patch.

Patches:

Dev: https://codereview.qt-project.org/c/qt/qtbase/+/642967

6.9: https://codereview.qt-project.org/c/qt/qtbase/+/645356 or https://download.qt.io/official_releases/qt/6.9/CVE-2025-14575-qtbase-6.9.diff

6.8: https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/645393 or https://download.qt.io/official_releases/qt/6.8/CVE-2025-14575-qtbase-6.8.diff

6.5: https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/645812 or https://download.qt.io/official_releases/qt/6.5/CVE-2025-14575-qtbase-6.5.diff

 

 

 

 

Blog Topics

Comments

Subscribe to our blog

Try Qt 6.11 Now!

Download the latest release here: www.qt.io/download

Qt 6.11 is now available, with new features and improvements for application developers and device creators.

We're Hiring

Check out all our open positions here and follow us on Instagram to see what it's like to be #QtPeople.

Related Articles

Security advisory: Type confusion and heap-buffer-overflow vulnerability in Qt SVG marker handling impacts Qt

Security advisory: Type confusion and heap-buffer-overflow vulnerability in Qt SVG marker handling impacts Qt

Type Confusion and Heap-based Buffer Overflow vulnerability in the SVG..

Read Article
Security advisory: QML Code Injection in VectorImage Component in Qt declarative module impacts Qt

Security advisory: QML Code Injection in VectorImage Component in Qt declarative module impacts Qt

Improper Control of Generation of Code ('Code Injection') vulnerability in..

Read Article