Login Sign Up

CVE-2023-38197

7.5 HIGH
Denial of Service

📋 TL;DR

This vulnerability in Qt's XML parsing allows attackers to cause denial of service through infinite loops during recursive entity expansion. It affects applications using Qt's XML processing functionality before patched versions, potentially causing resource exhaustion and application crashes.

💻 Affected Systems

Products:
  • Qt
  • Applications using Qt XML processing
Versions: Qt before 5.15.15, 6.x before 6.2.10, 6.3.x through 6.5.x before 6.5.3
Operating Systems: All platforms running affected Qt versions
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability exists in Qt's XML parser when processing recursive entity expansions. Applications must use Qt's XML functionality to be affected.

📦 What is this software?

Qt by Qt

View all CVEs affecting Qt →

Qt by Qt

View all CVEs affecting Qt →

Qt by Qt

View all CVEs affecting Qt →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete denial of service with application crashes and resource exhaustion, potentially affecting availability of services using Qt XML processing.

🟠

Likely Case

Application hangs or crashes when processing malicious XML input, leading to service disruption.

🟢

If Mitigated

Limited impact with proper input validation and resource limits, though still potentially disruptive.

🌐 Internet-Facing: MEDIUM - Applications accepting XML input from untrusted sources are vulnerable to DoS attacks.
🏢 Internal Only: LOW - Internal applications with controlled XML input sources have reduced exposure.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires sending malicious XML to applications using Qt's XML parser. No public exploit code identified.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Qt 5.15.15, 6.2.10, 6.5.3 or later

Vendor Advisory: https://codereview.qt-project.org/c/qt/qtbase/+/488960

Restart Required: Yes

Instructions:

1. Update Qt to patched version (5.15.15+, 6.2.10+, or 6.5.3+). 2. Recompile applications with updated Qt libraries. 3. Restart affected services.

🔧 Temporary Workarounds

XML Input Validation

all

Implement strict validation and size limits on XML input to prevent recursive entity expansion attacks.

Resource Limits

linux

Configure system resource limits (CPU time, memory) for applications processing XML to mitigate DoS impact.

ulimit -t 30
ulimit -m 1048576

🧯 If You Can't Patch

  • Implement network-level filtering to block or limit XML input to vulnerable applications
  • Deploy application-level monitoring for abnormal resource consumption patterns

🔍 How to Verify

Check if Vulnerable:

Check Qt version: qmake --version or examine Qt library files. Verify if version falls within affected ranges.

Check Version:

qmake --version

Verify Fix Applied:

Confirm Qt version is 5.15.15+, 6.2.10+, or 6.5.3+ after update.

📡 Detection & Monitoring

Log Indicators:

  • Application crashes or hangs
  • High CPU usage spikes
  • Memory exhaustion warnings

Network Indicators:

  • Unusually large XML payloads
  • Repeated XML requests to same endpoint

SIEM Query:

source="application.log" AND ("crash" OR "hang" OR "high cpu") AND process="*qt*"

📊 Metadata

CVE ID: CVE-2023-38197
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-835
Published: July 13, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-38197, you might also want to check these:

CVE-2021-42143 9.1

This vulnerability in Contiki-NG tinyDTLS allows remote attackers to cause denial of service and pot...

Same vulnerability type (CWE-835)
CVE-2026-25533 8.8

This vulnerability allows attackers to bypass multiple security layers in Enclave, a JavaScript sand...

Same vulnerability type (CWE-835)
CVE-2023-20083 8.6

A vulnerability in Cisco Firepower Threat Defense (FTD) Software's ICMPv6 inspection with Snort 2 al...

Same vulnerability type (CWE-835)