CVE-2023-32573 Overview
CVE-2023-32573 is a divide-by-zero vulnerability in Qt's QtSvg module where the QSvgFont class improperly initializes the m_unitsPerEm variable. This flaw exists in Qt versions before 5.15.14, 6.0.x through 6.2.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. The vulnerability is classified under CWE-369 (Divide By Zero), which occurs when an application divides a value by zero, leading to undefined behavior that typically results in application crashes.
Critical Impact
Attackers can craft malicious SVG files that, when processed by vulnerable Qt applications, trigger a divide-by-zero condition resulting in denial of service. This affects any application using QtSvg for SVG rendering.
Affected Products
- Qt versions before 5.15.14
- Qt versions 6.0.x through 6.2.x before 6.2.9
- Qt versions 6.3.x through 6.5.x before 6.5.1
- Red Hat Enterprise Linux 8.0
- Red Hat Enterprise Linux 9.0
Discovery Timeline
- 2023-05-10 - CVE-2023-32573 published to NVD
- 2025-01-27 - Last updated in NVD database
Technical Details for CVE-2023-32573
Vulnerability Analysis
This vulnerability stems from improper initialization of the m_unitsPerEm member variable in the QSvgFont class within Qt's SVG handling module (QtSvg). When processing SVG font definitions, if the units-per-em attribute is missing or set to zero, the uninitialized or zero value is subsequently used as a divisor in font scaling calculations. This creates a divide-by-zero condition that crashes the application.
The attack is network-exploitable but requires user interaction—a victim must open or render a maliciously crafted SVG file. The vulnerability results in denial of service through application termination, with no direct impact on confidentiality or integrity.
Root Cause
The root cause is the failure to properly validate and initialize the m_unitsPerEm variable before using it in division operations. The SVG font parsing code does not enforce a minimum value or provide a safe default when the units-per-em attribute is absent or invalid in the SVG document. This oversight allows crafted SVG content to trigger arithmetic exceptions when font metrics are calculated.
Attack Vector
An attacker exploits this vulnerability by creating a specially crafted SVG file containing a font definition with a missing or zero-valued units-per-em attribute. When a Qt-based application processes this SVG file—whether through direct file loading, web content rendering, or document preview—the division by zero occurs during font metric calculations, causing an unhandled exception that terminates the application.
The attack flow involves:
- Attacker creates a malicious SVG file with improper font element configuration
- Target user opens the SVG file using a vulnerable Qt application
- QtSvg attempts to parse and render the font definition
- Division by zero occurs during m_unitsPerEm-based calculations
- Application crashes, resulting in denial of service
Detection Methods for CVE-2023-32573
Indicators of Compromise
- Application crashes when opening or rendering specific SVG files
- Exception logs indicating arithmetic or divide-by-zero errors in Qt components
- Crash dumps showing QSvgFont or related QtSvg functions in the call stack
- Suspicious SVG files with malformed or missing units-per-em font attributes
Detection Strategies
- Monitor application logs for crashes related to SVG processing or QtSvg module errors
- Implement file analysis rules to detect SVG files with missing or zero units-per-em values in font definitions
- Deploy endpoint detection to identify repeated application crashes following SVG file access
- Use static analysis tools to identify vulnerable Qt library versions in deployed applications
Monitoring Recommendations
- Enable detailed crash reporting for Qt-based applications to capture stack traces
- Monitor system logs for repeated crashes of applications known to use QtSvg
- Implement inventory scanning to track Qt library versions across enterprise systems
- Set up alerts for unusual patterns of application termination following file operations
How to Mitigate CVE-2023-32573
Immediate Actions Required
- Upgrade Qt to version 5.15.14 or later for the 5.x branch
- Upgrade Qt to version 6.2.9 or later for the 6.0.x-6.2.x branch
- Upgrade Qt to version 6.5.1 or later for the 6.3.x-6.5.x branch
- Apply operating system vendor patches for Red Hat Enterprise Linux 8 and 9
Patch Information
Qt has released patches addressing this vulnerability. The fix ensures proper initialization of the m_unitsPerEm variable with a safe default value, preventing the divide-by-zero condition. The official code review and patch details are available at the Qt Project Code Review.
Linux distributions have also released updates:
- Debian LTS users should review the Debian LTS Announcement
- Fedora users should check the Fedora Package Announcement
Workarounds
- Restrict SVG file processing to trusted sources until patches can be applied
- Implement input validation to sanitize SVG files before processing with QtSvg
- Consider disabling SVG font rendering if not required by the application
- Deploy application sandboxing to limit the impact of crashes on system stability
# Check installed Qt version on Linux systems
qmake --version
# For RPM-based systems, check Qt packages
rpm -qa | grep -i qt5-qtsvg
# For Debian-based systems
dpkg -l | grep -i libqt5svg
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
