Primary

Context

Qt QFileSystemEngine Symlink Attack Vulnerability on Windows

Vulnerability

Patched

A vulnerability in the QFileSystemEngine component of the Qt corelib module on Windows has been identified, allowing for symlink attacks and the use of malicious files. This issue stems from improper link resolution before file access, particularly in how temporary file paths are handled. The vulnerability affects all versions of Qt up to and including 5.15.18, as well as versions 6.0.0 through 6.5.8 and 6.6.0 through 6.8.1. It is caused by the use of the GetTempPath API, which can be exploited to manipulate temporary file paths, potentially leading to unauthorized access and privilege escalation.

Impact

Exploitation of this vulnerability could allow attackers to perform symlink attacks, leading to unauthorized access and privilege escalation by manipulating temporary file paths.

Remediation

Users can upgrade to Qt versions 5.15.19, 6.5.9, 6.8.2, or 6.9.0 to address this vulnerability.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

7.8

impact

2.5

exploitability

4.0

remediation

7.7

relevance

0.0

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

7.8

impact

2.5

exploitability

4.0

remediation

7.7

relevance

0.0

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Qt QFileSystemEngine Symlink Attack Vulnerability on Windows

Vulnerability

Impact

Remediation

Affected Products

Qt

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating