CVE-2025-5683 Overview
CVE-2025-5683 is a denial-of-service vulnerability in the Qt framework's image handling code. Loading a specifically crafted ICNS format image file in QImage triggers a crash in the affected application. The flaw is tracked under CWE-770 (Allocation of Resources Without Limits or Throttling) and affects Qt versions 6.3.0 through 6.5.9, 6.6.0 through 6.8.4, and 6.9.0. The Qt Project fixed the issue in releases 6.5.10, 6.8.5, and 6.9.1.
Critical Impact
A malicious ICNS file processed by any Qt-based application using QImage crashes the host process, causing loss of availability for desktop and server workloads that render untrusted images.
Affected Products
- Qt 6.3.0 through 6.5.9
- Qt 6.6.0 through 6.8.4
- Qt 6.9.0
Discovery Timeline
- 2025-06-05 - CVE-2025-5683 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-5683
Vulnerability Analysis
The defect resides in the qtimageformats ICNS handler used by QImage. When Qt parses an Apple Icon Image (ICNS) container, the loader processes size and count fields declared inside the file without enforcing sufficient bounds against the actual payload. A malformed record leads the parser into an unrecoverable state, terminating the calling application.
Qt-based software commonly renders images from arbitrary sources: file managers, chat clients, mail readers, browsers, and cross-platform desktop apps. An attacker who can deliver an ICNS payload to such a client can force a crash without user credentials. User interaction is required to open or preview the file. The impact is limited to availability; the vulnerability does not disclose data or execute code.
Root Cause
The root cause is missing input validation in the ICNS decoder within qtimageformats. The parser trusts length and entry-count fields from the file header, mapped to the CWE-770 weakness class of unbounded resource allocation. The upstream fix in the Qt Project Code Review tightens these checks before allocation and decode.
Attack Vector
Delivery is network-reachable through any channel that surfaces images to a Qt application: email attachments, chat file transfers, downloaded archives, web content, or shared network paths. When the target opens or previews the crafted ICNS file, QImage invokes the ICNS handler and the host process crashes. See the OSS Fuzz Issue Report for the fuzzing artifact that surfaced the defect.
Detection Methods for CVE-2025-5683
Indicators of Compromise
- Repeated crashes of Qt-based applications correlated with opening .icns files or thumbnails.
- Operating system crash reports referencing libQt6Gui, qtimageformats, or ICNS decoding stack frames.
- Delivery of ICNS attachments to platforms where such files are not part of normal business workflows.
Detection Strategies
- Inventory installed Qt runtimes and flag versions in the 6.3.0–6.5.9, 6.6.0–6.8.4, and 6.9.0 ranges.
- Inspect mail and web gateways for inbound ICNS files and sandbox-render them before delivery.
- Correlate application crash telemetry with recent file-open events involving image formats handled by Qt.
Monitoring Recommendations
- Ship Windows Error Reporting, macOS ReportCrash, and Linux coredumpctl output to a central log store for triage.
- Track process termination events for Qt applications and alert on repeat crashes tied to a single user or file source.
- Monitor software distribution channels to confirm updated Qt libraries reach all endpoints.
How to Mitigate CVE-2025-5683
Immediate Actions Required
- Upgrade Qt to 6.5.10, 6.8.5, or 6.9.1 depending on the branch in use.
- Rebuild and redistribute internal applications that statically link or bundle vulnerable Qt libraries.
- Restrict acceptance of .icns attachments at mail and file-sharing gateways until patching completes.
Patch Information
The Qt Project addressed the flaw in the qtimageformats module. The fix is included in Qt 6.5.10, 6.8.5, and 6.9.1. The upstream change is available in the Qt Project Code Review. Downstream Linux distributions ship the patched libraries through their standard security update channels.
Workarounds
- Disable or remove the ICNS image plugin from Qt deployments where the format is not required.
- Block or strip .icns files at email, web proxy, and endpoint content-inspection layers.
- Instruct users not to preview ICNS files received from untrusted senders until the patch is deployed.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

