CVE-2025-12385 Overview
CVE-2025-12385 is a resource exhaustion vulnerability in The Qt Company's Qt framework. The flaw resides in the Text component of Qt Quick, where the rendering engine fails to validate the width and height attributes of HTML <img> tags. An attacker who controls the rich text input passed to a Text element can specify arbitrarily large image dimensions, triggering excessive memory allocation. The application becomes unresponsive, producing a denial-of-service condition.
The vulnerability is classified under [CWE-770] (Allocation of Resources Without Limits or Throttling) and affects Qt versions across Windows, macOS, Linux, iOS, and Android on both 32-bit and 64-bit architectures.
Critical Impact
Remote attackers can render Qt-based applications unresponsive by supplying crafted <img> tags with oversized dimensions to any Text component that processes untrusted rich text.
Affected Products
- Qt 5.0.0 through 6.5.10
- Qt 6.6.0 through 6.8.5
- Qt 6.9.0 through 6.10.0
Discovery Timeline
- 2025-12-03 - CVE-2025-12385 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-12385
Vulnerability Analysis
The Qt Quick Text component supports a subset of HTML for rich text rendering, including the <img> tag for inline images. When parsing the tag, the framework reads the width and height attributes and uses them to allocate image buffers and layout space. The implementation does not enforce upper bounds on these values, nor does it validate them against available memory.
An attacker who can influence the text content rendered by a Text element can supply dimensions such as width="999999999" and height="999999999". The renderer attempts to satisfy the allocation request, exhausting CPU and memory resources. Patches were submitted upstream as Qt Project Code Review #687239 and Qt Project Code Review #687766.
Root Cause
The root cause is missing input validation in the rich text parser within the qtdeclarative module. Image dimension attributes are accepted without sanity checks against reasonable bounds, the rendering surface size, or platform memory limits. This represents a classic instance of [CWE-770], where untrusted input directly drives resource allocation.
Attack Vector
Exploitation requires no authentication or user interaction beyond rendering the malicious content. Any Qt Quick application that displays attacker-controlled rich text — including chat clients, email viewers, RSS readers, embedded HMIs, and mobile apps — is exposed. The attack surface extends to network-delivered content, file imports, and inter-process messages that flow into a Text element.
The vulnerability manifests when the parser processes an <img> tag with crafted width and height attributes. See the linked Qt Project code reviews for the upstream fix that introduces bounds checking on these attributes.
Detection Methods for CVE-2025-12385
Indicators of Compromise
- Qt-based application processes consuming abnormally high memory or CPU shortly after receiving external content.
- Application hangs or crashes correlated with inbound rich text messages containing <img> tags.
- Logs or crash dumps showing allocation failures originating from the qtdeclarative rendering pipeline.
Detection Strategies
- Inventory deployed software to identify applications built against vulnerable Qt versions (5.0.0–6.5.10, 6.6.0–6.8.5, 6.9.0–6.10.0).
- Inspect inbound message content for <img> tags with numerically extreme width or height attribute values.
- Monitor process memory growth rate on hosts running Qt Quick applications and flag rapid spikes.
Monitoring Recommendations
- Enable application crash and hang telemetry from endpoints running Qt-based software.
- Correlate memory exhaustion events with the parent process binary and its linked Qt libraries.
- Track outbound and inbound rich text channels feeding Qt applications, such as XMPP, IRC, or proprietary messaging protocols.
How to Mitigate CVE-2025-12385
Immediate Actions Required
- Identify all Qt-based applications in the environment and determine their linked Qt version.
- Apply the patches from the Qt Project code reviews referenced above, or upgrade to a fixed Qt release once distributed by vendors.
- For applications that ship Qt as a bundled dependency, contact the application vendor for an updated build.
Patch Information
The Qt Project addressed the issue through two upstream changes that add validation of <img> dimension attributes: Qt Project Code Review #687239 and Qt Project Code Review #687766. Downstream releases incorporating these fixes are expected in Qt versions beyond 6.5.10, 6.8.5, and 6.10.0.
Workarounds
- Sanitize all untrusted rich text before passing it to a Text element. Strip or rewrite <img> tags, or clamp width and height attribute values to safe bounds.
- Where rich text is not required, set textFormat: Text.PlainText on Qt Quick Text components to disable HTML parsing entirely.
- Apply per-process memory limits using OS-level controls such as cgroups on Linux or Job Objects on Windows to contain runaway allocations.
# Example: enforce a 512 MB memory ceiling on a Qt application using systemd
systemd-run --scope -p MemoryMax=512M /usr/bin/my-qt-app
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

