Vulnerability Spotlight: Integer and buffer overflow vulnerabilities found in QT QML

Emma Reuter and Theo Morales of ASIG and Aleksandar Nikolic of Cisco Talos discovered these vulnerabilities.

Cisco ASIG and Cisco Talos recently discovered code execution vulnerabilities in QT QML.

Qt is a popular software suite primarily used to create graphical user interfaces. It also contains several supporting libraries which all aim to enable cross-platform application development with a unified programming API.

QT has responded to vulnerability notifications with this statement: "We have analyzed your report, and our evaluation is that this is not a security issue, even though it is a real bug. Qt's QML and JavaScript support is explicitly not designed for untrusted content… Each application that is passing untrusted input to QtQml needs to have an advisory instead and must thoroughly check their inputs."

This advisory concerns:

TALOS-2022-1617 (CVE-2022-40983), in which Javascript code can trigger an integer overflow during memory allocation, which can lead to arbitrary code execution. A target application would need to access a malicious web page to trigger this vulnerability.

Secondarily, TALOS-2022-1650 (CVE-2022-43591) can involve an out-of-bounds memory access, leading to arbitrary code execution.

Cisco Talos believes these are potential security issues and notified QT of the issues all in adherence to Cisco's vulnerability disclosure policy.

Users are encouraged to update this affected product as soon as possible: Qt Project Qt 6.3.2. Talos tested and confirmed this version of QT could be exploited by this vulnerability.

The following Snort rules will detect exploitation attempts against this vulnerability: 60690-60691 and 60912-60913. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.