SB2026030628 - Ubuntu update for qtbase-opensource-src

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2026030628

SB2026030628 - Ubuntu update for qtbase-opensource-src

Published: March 6, 2026

Security Bulletin ID SB2026030628
Severity
High
Patch available
YES
Number of vulnerabilities 5
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 20% Medium 40% Low 40%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 5 secuirty vulnerabilities.


1) Memory leak (CVE-ID: CVE-2020-13962)

The vulnerability allows a remote attacker to perform DoS attack on the target system.

The vulnerability exists due memory leak when handling TLS connections. A remote attacker can force the application to leak random memory parts to unrelated TLS sessions and cause a denial of service to QSslSocket users.


2) Out-of-bounds read (CVE-ID: CVE-2020-17507)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to buffer over-read. A remote attacker can perform a denial of service attack.


3) Code Injection (CVE-ID: CVE-2022-25255)

The vulnerability allows a local user to execute arbitrary code on the target system.

The vulnerability exists due to QProcess can execute a binary from the current working directory when not found in the PATH. A local user can execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


4) Integer overflow (CVE-ID: CVE-2023-51714)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to integer overflow in network/access/http2/hpacktable.cpp within the HTTP2 implementation in Qt. A remote attacker can pass specially crafted data to the application, trigger integer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


5) Time-of-check Time-of-use (TOCTOU) Race Condition (CVE-ID: CVE-2024-39936)

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to a race condition in HTTP2 support when establishing an encrypted connection. A remote attacker can potentially force the application to send data before the encrypted() signal, leading to potential information disclosure.


Remediation

Install update from vendor's website.

References