CVE-2026-6210

UNKNOWN 0.0

Type confusion and heap-buffer-overflow in Qt SVG marker handling causing application crash

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

A type confusion vulnerability in Qt SVG allows an attacker to cause an application crash via a crafted SVG image. When processing SVG marker references, the renderer retrieves a node by its id attribute and casts it to QSvgMarker* without verifying the node type. A non-marker element (such as a <line> element) that references itself as a marker triggers an out-of-bounds heap read due to the object size difference between QSvgLine and QSvgMarker, followed by an endless recursion that bypasses the marker recursion guard through incorrect virtual dispatch. The result is an application crash (denial of service). This issue affects Qt SVG: from 6.7.0 before 6.8.8, from 6.9.0 before 6.11.1.

CWE	CWE-843 CWE-122
Vendor	the qt company
Product	qt
Published	May 6, 2026
Last Updated	May 6, 2026

Stay Ahead of the Next One

Get instant alerts for the qt company qt

Be the first to know when new unknown vulnerabilities affecting the qt company qt are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

The Qt Company / Qt

6.7.0 < 6.8.8 6.9.0 < 6.11.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

codereview.qt-project.org: https://codereview.qt-project.org/c/qt/qtsvg/+/724887 issues.oss-fuzz.com: https://issues.oss-fuzz.com/issues/496327371