CVE-2025-10729: 
CBL Mariner vulnerability analysis and mitigation

The Qt SVG module contains a critical use-after-free vulnerability (CVE-2025-10729) that affects Qt versions 6.7.0 through 6.8.4, and 6.9.0 through 6.9.2. The vulnerability occurs when the module parses a node that is not a child of a structural node in an SVG file, where the node gets deleted after creation but might be accessed later, leading to a use-after-free condition. This vulnerability has been assigned a CVSS 4.0 base score of 9.4, indicating critical severity (Security Online, NVD).

The vulnerability is classified as CWE-416 (Use After Free) and occurs in the SVG parsing functionality of the Qt framework. When processing SVG files, the module incorrectly handles nodes that are not children of structural nodes, leading to a memory management issue where deleted nodes might be accessed after their deletion. The vulnerability carries a Critical CVSS 4.0 score of 9.4 with the following vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/S:P/RE:H/U:Red (NVD).

The vulnerability poses significant risks as it could potentially lead to remote code execution (RCE) depending on how memory is reallocated. This is particularly concerning in environments where SVG rendering is exposed to untrusted input, such as web engines, UI design tools, or document viewers. The Qt SVG module's widespread use across software ecosystems, including desktop environments like KDE Plasma, automotive systems, medical devices, and IoT systems, significantly broadens the potential attack surface (Security Online).

Qt has released patches to address this vulnerability. Users and developers are strongly advised to upgrade to Qt 6.9.3 or 6.8.5. Until systems can be fully patched, it is recommended to avoid rendering untrusted SVG content and to review third-party dependencies for the presence of the vulnerable module (Security Online).