9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.009 Low
EPSS
Percentile
82.3%
There have been three vulnerabilities found in FreeType recently and they have been assigned the CVE ids CVE-2022-27404, CVE-2022-27405, CVE-2022-27406. This has been fixed in the latest version of FreeType – v2.12.1
These effects configurations of Qt that have been built against the bundled version of FreeType. If you are using a pre-built version of Qt then this will be using the bundled version of FreeType by default, otherwise you will be using the system version by default, in which case you should check if the system needs to be updated or not. If the system needs to be updated, then updating it is enough to solve the issue. There is no need to rebuild Qt in that case.
Solution: To work-around it, then update your system version of FreeType to at least v2.12.1 and reconfigure and build Qt to use the system version of FreeType. Or apply the following patch or update to Qt 6.3.2 when it is released.
Patches:
dev: <https://codereview.qt-project.org/c/qt/qtbase/+/422316>
6.4: <https://codereview.qt-project.org/c/qt/qtbase/+/423390>
6.3: <https://codereview.qt-project.org/c/qt/qtbase/+/423391> or <https://download.qt.io/official_releases/qt/6.3/CVE-2022-27404-27405-27406-qtbase-6.3.diff>
6.2: <https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/423393> or <https://download.qt.io/official_releases/qt/6.2/CVE-2022-27404-27405-27406-qtbase-6.2.diff>[](<https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/423393>)
5.15: <https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/423394> or <https://download.qt.io/official_releases/qt/5.15/CVE-2022-27404-27405-27406-qtbase-5.15.diff>[](<https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/423394>)
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.009 Low
EPSS
Percentile
82.3%