{"id":"CVE-2024-25580","details":"An issue was discovered in gui/util/qktxhandler.cpp in Qt before 5.15.17, 6.x before 6.2.12, 6.3.x through 6.5.x before 6.5.5, and 6.6.x before 6.6.2. A buffer overflow and application crash can occur via a crafted KTX image file.","modified":"2026-04-16T04:33:48.469433312Z","published":"2024-03-27T03:15:12.007Z","related":["ALSA-2024:2276","ALSA-2024:3056","openSUSE-SU-2024:13690-1","openSUSE-SU-2024:13775-1"],"references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZWTGLKC3WBDHZ5OJRSEB2QUR7XXZDLZV/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SYE2NMN67DYHYJKLAKLGR64OYI7A63AH/"},{"type":"FIX","url":"https://www.qt.io/blog/security-advisory-potential-buffer-overflow-when-reading-ktx-images"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/qt/qtbase","events":[{"introduced":"13ed06640c6cf32ea8c784c896c6bf017053edb3"},{"fixed":"8e79bee4afa2a1466f360f44fb07d24e432a82a6"},{"introduced":"fc9cda5f08ac848e88f63dd4a07c08b2fbc6bf17"},{"fixed":"3a82051eade32b34c2f4f6f652a9d8ef0db96c71"},{"introduced":"9554d315aa74eaba1726405ee09117e2ebc6111f"},{"fixed":"c8c0c677693c047a9dbf94c2a88eb920ed11acc8"},{"introduced":"33f5e985e480283bb0ca9dea5f82643e825ba87c"},{"fixed":"dec1863c7dc63e5788b0c6c061d36e856a6ae2b2"}],"database_specific":{"versions":[{"introduced":"5.12.0"},{"fixed":"5.15.17"},{"introduced":"6.0.0"},{"fixed":"6.2.12"},{"introduced":"6.3.0"},{"fixed":"6.5.5"},{"introduced":"6.6.0"},{"fixed":"6.6.2"}]}}],"database_specific":{"vanir_signatures_modified":"2026-04-12T08:03:55Z","vanir_signatures":[{"signature_version":"v1","deprecated":false,"signature_type":"Function","target":{"file":"src/tools/qlalr/cppgenerator.cpp","function":"CppGenerator::copyrightHeader"},"id":"CVE-2024-25580-0355e429","digest":{"length":158,"function_hash":"136461757324256813282022259417379127365"},"source":"https://github.com/qt/qtbase/commit/c8c0c677693c047a9dbf94c2a88eb920ed11acc8"},{"target":{"file":"src/gui/util/qktxhandler.cpp","function":"QKtxHandler::decodeKeyValues"},"deprecated":false,"signature_type":"Function","signature_version":"v1","id":"CVE-2024-25580-462199ff","digest":{"length":735,"function_hash":"7364416592394577119437940976907996060"},"source":"https://github.com/qt/qtbase/commit/dec1863c7dc63e5788b0c6c061d36e856a6ae2b2"},{"signature_version":"v1","deprecated":false,"signature_type":"Line","target":{"file":"src/tools/qlalr/cppgenerator.cpp"},"id":"CVE-2024-25580-495911c7","digest":{"line_hashes":["19558493098812227728671165474361015392","106008374532169155072527926556305774515","188893840817205926988204630655514730863","235179633474731591380608793762610541546"],"threshold":0.9},"source":"https://github.com/qt/qtbase/commit/c8c0c677693c047a9dbf94c2a88eb920ed11acc8"},{"target":{"file":"tests/auto/gui/util/qtexturefilereader/tst_qtexturefilereader.cpp"},"deprecated":false,"signature_type":"Line","signature_version":"v1","id":"CVE-2024-25580-62991e15","digest":{"line_hashes":["163025544936468673396887582351900526570","192599772146138582938962858926520246855","121204903762595879395660416776397810880","218506546214480638963447889292690177668","131206179422142810249228455466547622028","169148247452786850530522787300885566438"],"threshold":0.9},"source":"https://github.com/qt/qtbase/commit/dec1863c7dc63e5788b0c6c061d36e856a6ae2b2"},{"target":{"file":"src/gui/util/qktxhandler.cpp","function":"QKtxHandler::canRead"},"deprecated":false,"signature_type":"Function","signature_version":"v1","id":"CVE-2024-25580-6ac07c49","digest":{"length":192,"function_hash":"60956471746684524945346742045230509622"},"source":"https://github.com/qt/qtbase/commit/dec1863c7dc63e5788b0c6c061d36e856a6ae2b2"},{"signature_version":"v1","deprecated":false,"signature_type":"Line","target":{"file":"src/gui/util/qktxhandler.cpp"},"id":"CVE-2024-25580-85c4da1f","digest":{"line_hashes":["326791891951963302053498062007251604819","216501027714726516523260120877272770458","272316552540469537871419769208699747618","32756698102141330989931102338427760486","329085638427952370887499885194417094983","23992358934044123184146740662218759827","111420295665237001369063300250837057494","339921958229784533062656756998393974902","320457186581665594816885113759724029589","217155106427057612529695096959215002128","132063340904007978087212222386502296766","188353106039990923234557425075788070445","8473008348859982688628834671963097431","42428422552339712291675158392287383392","118450234344262773107008053217091128207","113978529423858291344594895384995680573","19188762913395271922019310197400478496","94731894940777509700646632370358911991","206579650303715150429769429304149393109","158044226728775515387637253804320166329","294900422571405337628917297662874063906","274144141498473902106102085549854312372","96236304093679483433446031978348595400","277809073397358023385567583554632736246","283512247336100706603413140741368060152","112955549893255764185096396270281853878","93089557951267292991403958030426040967","272303951869674331560001035679443752771","99970391310837704637120259889309993960","140491642941314039424598136395132568500","82425384615181284430715866001033073399","244895088819555936231521581995418052389","286860707805905689909930365340038990419","239870289400057756564903324715151891820","205857025933664987542535830034386165813","185256357155209013487235556466228204687","313625977436023324073035698239638724524","298689686129004949388916287062787044767","257634073108725076925535315757115026244","273513797962591852547449113704351648476","116720770702985978231634603541944901376","260705184382809755010022288052788629682","209075497822928170618318771371373013112","167730221265140455077897914573806345955","262297745719240115032485584871482723758","312537045819153036586834294189931422334","90853907946704080172202977536754825739","233753438766578678551593957161454133521","171900717941769559318162075811107177176","73481453844480851765101099994755109643","223806874672977638569733942405565929788","279563880410908758317228758824101779342","59265332618951206024076635072161489916","284679932794797200761486766510381587131","6062148158586369252781625970162716544","55964092935897503430526652068475996616","241670279024805347673473354765222283401","72975930225814918375803833441984993679","58293507839107831635187045894736830875","322287645065413365969281015760476821568","91881551019884164228114603971124350767","91698441258791324708047973243870805667","75660462155697043975284469895546951126","72832898569556524298313240615759476984","196158815946406060608327729606793116348","208171843212904890205401292669084500816","298504100938338821177903776210171852460","12385753637530777424050096468058906625","220970122788446913640296160606462900808","211637163825161736622392903579643335239","156944970459392248563646670762345293807","54871384128103068577648035189243511684","316987147565135293733267095739034607580","242516089558919917119599336241103995525","41201070085319439605240516280312037260","175416545714977225076087158803894547208","324945013111721331764264708185658314428","23407635790766161537621439751219680210"],"threshold":0.9},"source":"https://github.com/qt/qtbase/commit/dec1863c7dc63e5788b0c6c061d36e856a6ae2b2"},{"target":{"file":"src/gui/util/qktxhandler.cpp","function":"withPadding"},"deprecated":false,"signature_type":"Function","signature_version":"v1","id":"CVE-2024-25580-c5e52c72","digest":{"length":144,"function_hash":"307336593277657630736852378315688205833"},"source":"https://github.com/qt/qtbase/commit/dec1863c7dc63e5788b0c6c061d36e856a6ae2b2"},{"signature_version":"v1","deprecated":false,"signature_type":"Function","id":"CVE-2024-25580-e66d7216","target":{"file":"src/gui/util/qktxhandler.cpp","function":"QKtxHandler::read"},"digest":{"length":1996,"function_hash":"2500646054964973657236404764740378148"},"source":"https://github.com/qt/qtbase/commit/dec1863c7dc63e5788b0c6c061d36e856a6ae2b2"},{"signature_version":"v1","deprecated":false,"signature_type":"Line","id":"CVE-2024-25580-f7b1a2a7","target":{"file":"src/gui/util/qktxhandler_p.h"},"digest":{"line_hashes":["153103572155014416452620909264860982546","293763830944613902788866577175215898927","135489548238572539311258804692019884127","15772471024379444214167190962107309446","270376144655553600952382251816304575273","229399418970970037446185672734695865297"],"threshold":0.9},"source":"https://github.com/qt/qtbase/commit/dec1863c7dc63e5788b0c6c061d36e856a6ae2b2"}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-25580.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}