Subnavigation

Security advisory: Potential Integer Overflow in Qt's HTTP2 implementation

January 02, 2024 by Andy Shaw | Comments

A recently reported potential integer overflow issue in Qt’s HTTP2 implementation has been assigned the CVE id CVE-2023-51714.

An issue was discovered in Qt before 5.15.17, 6.x before 6.2.11, 6.3.x through 6.5.x before 6.5.4, and 6.6.x before 6.6.2.

If the HTTP2 implementation receives more then 4GiB in total headers, or more than 2GiB for any given header pair, then the internal buffers may overflow.

Solution: Apply the following two patches or update to Qt 5.15.17, Qt 6.2.11, 6.5.4 or 6.6.2

Patches:

dev: https://codereview.qt-project.org/c/qt/qtbase/+/524864 and https://codereview.qt-project.org/c/qt/qtbase/+/524865

Qt 6.6: https://codereview.qt-project.org/c/qt/qtbase/+/525295 and https://codereview.qt-project.org/c/qt/qtbase/+/525297/3 or https://download.qt.io/official_releases/qt/6.6/0001-CVE-2023-51714-qtbase-6.6.diff and https://download.qt.io/official_releases/qt/6.6/0002-CVE-2023-51714-qtbase-6.6.diff

Qt 6.5: https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/525624 and https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/525625/1 or https://download.qt.io/official_releases/qt/6.5/0001-CVE-2023-51714-qtbase-6.5.diff and https://download.qt.io/official_releases/qt/6.5/0002-CVE-2023-51714-qtbase-6.5.diff

Qt 6.2: https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/525709 and https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/525710 or https://download.qt.io/official_releases/qt/6.2/0001-CVE-2023-51714-qtbase-6.2.diff and https://download.qt.io/official_releases/qt/6.2/0002-CVE-2023-51714-qtbase-6.2.diff

Qt 5.15: https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/525874 and https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/525875 or https://download.qt.io/official_releases/qt/5.15/0001-CVE-2023-51714-qtbase-5.15.diff and https://download.qt.io/official_releases/qt/5.15/0002-CVE-2023-51714-qtbase-5.15.diff
Blog Topics:

Comments

Subscribe to our newsletter

Subscribe Newsletter

By submitting the form, you agree that Qt Group will process and store your personal information according to the Privacy Policy and may send you communications related to your request. You may unsubscribe from all communications at any time by clicking Unsubscribe or Manage Preferences in the footer of our emails.

Try Qt 6.9 Now!

Download the latest release here: www.qt.io/download.

Qt 6.9 is now available, with new features and improvements for application developers and device creators.

We're Hiring

Check out all our open positions here and follow us on Instagram to see what it's like to be #QtPeople.

Read Next

Apr 11, 2025

Security advisory: A Heap-buffer-overflow issue in QTextMarkdownImporter impacts Qt

A Heap-buffer-overflow issue in QTextMarkdownImporter has been discovered..

Read Article

Apr 9, 2025

Qt Group Authorized as a CVE Numbering Authority (CNA) by the CVE Program

Qt Group has been authorized by the Common Vulnerabilities and Exposures..

Read Article

Apr 7, 2025

Security advisory: A Denial-of-Service type of security issue in Qt XML module impacts Qt

A Denial-of-Service type of security issue in QDom classes of Qt XML..

Read Article