Skip to main content

Example CVE Resolution - the Solid Qt Process

This is a real-life example from summer 2024, resolved for multiple platforms with several patches & third-party involvement​.

Qt Group takes care of that for our customers. You’d need to do it on your own otherwise!

  1. Email on Qt security mailing list

    Tuesday June 24th

    Email: Possible information leak

    Qt internal bug created at bugreports.qt.io/browse/QTBUG-126610

  2. Verified as a valid issue. CVE registration.

    Friday June 28th

    Registered with the CVE ID: cve-2024-39936

  3. EWL: Customer notification. First patch, but it did not work.

    Saturday June 29th

    CRA-VulnerabilityManagement-ExampleCVECaseAtQt-2CustomerNotification-tinified

  4. CVE creation

    Thursday July 4th

    The CVE gets a public link at nvd.nist.gov/vuln/detail/cve-2024-39936

  5. EWL: Customer update. Working patch, integration.

    Friday July 5th

    CRA-VulnerabilityManagement-ExampleCVECaseAtQt-5CustomerUpdate-tinified

  6. EWL: Customer resolution email

    Monday July 15th

    CRA-VulnerabilityManagement-ExampleCVECaseAtQt-6CustomerResolution-tinified

  7. Public Security Advisory

    Wednesday July 17th

    Published at qt.io/blog/recently-discovered-http2-handling

The information contained on this page and this website does not constitute legal advice. It is provided for informational purposes and discussion of the subject matter only. Content is subject to change and The Qt Group does not guarantee the accuracy or currentness of the contents of this page nor is The Qt Group responsible for the content or operation of any external website that these pages link to—or that may link to—these pages. The information contained here is not, and should not be used as, a substitute for legal advice.