CVE-2025-12385 Overview
CVE-2025-12385 is a resource exhaustion vulnerability in the Qt framework from The Qt Company. The flaw affects the Text component in Qt Quick, where missing validation of width and height attributes in HTML <img> tags allows excessive memory allocation. An attacker can supply crafted markup containing oversized image dimensions, causing the application to become unresponsive. The issue is classified under [CWE-770] (Allocation of Resources Without Limits or Throttling). Affected versions span Qt 5.0.0 through 6.5.10, 6.6.0 through 6.8.5, and 6.9.0 through 6.10.0 across Windows, macOS, Linux, iOS, and Android on both x86 and ARM architectures.
Critical Impact
Remote attackers can trigger denial of service in any Qt Quick application that renders untrusted rich text, exhausting memory and freezing the host process.
Affected Products
- Qt 5.0.0 through 6.5.10
- Qt 6.6.0 through 6.8.5
- Qt 6.9.0 through 6.10.0
Discovery Timeline
- 2025-12-03 - CVE-2025-12385 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-12385
Vulnerability Analysis
The vulnerability resides in the rich-text rendering path of the Qt Quick Text component. When the component encounters an HTML <img> tag, the parser reads the width and height attributes and uses them to allocate rendering buffers. The implementation does not enforce reasonable upper bounds on these dimensions or validate them against available memory.
When an application renders attacker-controlled rich text, a tag such as <img width="999999" height="999999"> forces the Qt rendering pipeline to allocate buffers proportional to the declared pixel area. This drives CPU and memory consumption to the point of unresponsiveness, blocking the UI thread and degrading availability of the host process.
The attack requires no authentication or user interaction beyond rendering the content. Any Qt Quick application that displays untrusted HTML — chat clients, embedded browsers, kiosk interfaces, or mobile apps — is exposed.
Root Cause
The root cause is improper validation of specified quantity in input. The Text component trusts the numeric values supplied in <img> attributes and propagates them directly into allocation routines without bounds checking, throttling, or fallback handling.
Attack Vector
The attack vector is network-based. An adversary delivers crafted HTML through any channel the target application renders: message bodies, document previews, web feed content, or embedded UI strings sourced from remote servers. Rendering the markup is sufficient to trigger the excessive allocation. Refer to the Qt Project Code Review 687239 and Qt Project Code Review 687766 for upstream fix details.
Detection Methods for CVE-2025-12385
Indicators of Compromise
- Qt-based application processes exhibiting sustained high memory growth followed by unresponsiveness or out-of-memory termination.
- Inbound content containing <img> tags with abnormally large width or height numeric attributes.
- Application crash logs referencing image buffer allocation failures in qtdeclarative modules.
Detection Strategies
- Inspect network and message payloads for HTML <img> tags where width or height attributes exceed plausible display dimensions.
- Monitor Qt application memory footprints for rapid expansion correlated with rich-text rendering events.
- Hunt for repeated application hangs or restarts tied to user-supplied content rendered through Text or TextEdit components.
Monitoring Recommendations
- Enable per-process memory ceilings and watchdog timers on workstations running Qt Quick applications.
- Log inbound content sources that feed Qt rich-text views and correlate with process resource telemetry.
- Alert on Qt application processes that exceed historical memory baselines by significant margins.
How to Mitigate CVE-2025-12385
Immediate Actions Required
- Inventory all internally developed and third-party applications built on Qt 5.x and Qt 6.x to identify exposure.
- Upgrade Qt to a patched release: 6.5.11 or later for the 6.5 LTS branch, 6.8.6 or later for the 6.8 branch, and a release later than 6.10.0 for the 6.10 branch.
- For applications that cannot be patched immediately, disable rendering of untrusted HTML in Qt Quick Text elements by setting textFormat to Text.PlainText.
Patch Information
The Qt Company resolved the issue through upstream commits to the qtdeclarative module, available in the Qt Project Code Review 687239 and Qt Project Code Review 687766. The fixes add validation of <img> tag dimensions before allocation. Application maintainers must rebuild and redistribute binaries against the patched Qt libraries.
Workarounds
- Set textFormat: Text.PlainText on Qt Quick Text elements that may receive untrusted input.
- Sanitize inbound HTML to strip or clamp width and height attributes on <img> tags before rendering.
- Apply per-process memory limits using operating system controls such as ulimit, cgroups, or Job Objects to contain runaway allocations.
# Configuration example: enforce a 2 GB virtual memory cap on a Qt application via cgroups v2
sudo mkdir /sys/fs/cgroup/qtapp
echo "2G" | sudo tee /sys/fs/cgroup/qtapp/memory.max
echo $$ | sudo tee /sys/fs/cgroup/qtapp/cgroup.procs
./my-qt-application
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
