CVE-2021-38593 Overview
CVE-2021-38593 is an out-of-bounds write vulnerability affecting Qt 5.x before 5.15.6 and 6.x through 6.1.2. The flaw exists in the QOutlineMapper::convertPath function, which is called from QRasterPaintEngine::fill and QPaintEngineEx::stroke. This vulnerability can be triggered when processing specially crafted graphical content, potentially leading to application crashes and denial of service conditions.
Critical Impact
Applications using vulnerable Qt versions for rendering graphical content may be susceptible to denial of service attacks through maliciously crafted input that triggers the out-of-bounds write condition.
Affected Products
- Qt 5.x versions before 5.15.6
- Qt 6.x versions through 6.1.2
- Fedora 35 and Fedora 36 (via bundled Qt packages)
Discovery Timeline
- August 12, 2021 - CVE-2021-38593 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2021-38593
Vulnerability Analysis
This vulnerability (CWE-787: Out-of-bounds Write) occurs within Qt's painting subsystem, specifically in the path conversion and stroke rendering pipeline. The issue was discovered through fuzzing efforts documented in Chromium Issue #35566. The vulnerability manifests when the painting engine attempts to process dash patterns with certain edge-case extent values.
The root of the problem lies in how Qt handles the calculation of dash pattern rendering. When an extent value approaches zero or results in an extremely high number of tiny dashes (exceeding 10,000 iterations), the rendering engine can write beyond allocated buffer boundaries, corrupting adjacent memory.
Root Cause
The vulnerability stems from insufficient validation of the extent variable before performing division operations in the dash pattern rendering code. When extent is zero or very close to zero, the subsequent calculations can produce undefined behavior or trigger excessive memory operations. The original code only checked if extent / patternLength > 10000 but failed to validate whether extent itself was a valid, non-zero value.
Attack Vector
An attacker can exploit this vulnerability by providing malformed graphical content (such as SVG files, images, or Qt Quick/QML content) to applications that use Qt for rendering. The attack vector is network-accessible when vulnerable applications process untrusted graphical content from remote sources. Successful exploitation results in application crashes, enabling denial of service attacks against Qt-based applications.
// Security patch from QtBase (Source: https://github.com/qt/qtbase/commit/1ca02cf2879a5e1511a2f2109f0925cf4c892862)
patternLength *= pen.widthF();
if (qFuzzyIsNull(patternLength)) {
pen.setStyle(Qt::NoPen);
- } else if (extent / patternLength > 10000) {
+ } else if (qFuzzyIsNull(extent) || extent / patternLength > 10000) {
// approximate stream of tiny dashes with semi-transparent solid line
pen.setStyle(Qt::SolidLine);
QColor color(pen.color());
The fix adds an additional check using qFuzzyIsNull(extent) to validate that the extent value is not effectively zero before proceeding with the division operation.
Detection Methods for CVE-2021-38593
Indicators of Compromise
- Unexpected crashes in Qt-based applications during graphical content rendering
- Application log entries showing segmentation faults or memory access violations in QOutlineMapper::convertPath, QRasterPaintEngine::fill, or QPaintEngineEx::stroke
- Abnormal termination of processes linked against vulnerable Qt libraries (libQt5Gui.so, libQt6Gui.so)
- Core dumps indicating memory corruption in painting subsystem components
Detection Strategies
- Monitor for crash reports from Qt-based applications with stack traces containing QOutlineMapper::convertPath or QPaintEngineEx::stroke
- Implement software composition analysis (SCA) to identify Qt library versions in use across your environment
- Use vulnerability scanners to detect Qt installations matching affected CPE URIs (cpe:2.3:a:qt:qt:*)
- Deploy application crash monitoring to detect potential exploitation attempts
Monitoring Recommendations
- Enable core dump collection for Qt-based applications to capture crash details
- Monitor system logs for repeated application failures that may indicate exploitation attempts
- Track Qt library versions deployed across endpoints using asset inventory tools
- Configure alerting for unusual patterns of application restarts in Qt-dependent services
How to Mitigate CVE-2021-38593
Immediate Actions Required
- Upgrade Qt 5.x installations to version 5.15.6 or later
- Upgrade Qt 6.x installations to a patched version beyond 6.1.2
- Apply distribution-specific security updates for Fedora 35 and 36 systems
- Review and update third-party applications that bundle Qt libraries
Patch Information
Qt has released security patches addressing this vulnerability across multiple branches. The fix involves adding proper validation for the extent variable before performing dash pattern calculations. Patches are available in the following commits:
Additional information is available in the Qt 5.15 Release Known Issues documentation and the Gentoo GLSA 202402-03 advisory.
Workarounds
- Restrict processing of untrusted graphical content in Qt-based applications until patches can be applied
- Implement input validation to sanitize or reject potentially malicious SVG or image content before Qt rendering
- Consider sandboxing Qt-based applications that process untrusted content to limit impact of crashes
- For subscription license holders, extended support patches are available as noted in the Qt Blog on Extended Support
# Check installed Qt version on Linux systems
qmake --version
# For Fedora systems, update Qt packages
sudo dnf update qt5-qtbase qt6-qtbase
# Verify Qt library versions in use
ldconfig -p | grep -i qt
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
