Cyber Resilience

CVE-2024-36048

Critical

Published: 18 May 2024

Published
18 May 2024
Modified
04 November 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0048 65.7th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-36048 is a critical-severity PRNG (CWE-335) vulnerability in Qt Qt. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Brute Force (T1110); ranked in the top 34.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

QAbstractOAuth in Qt Network Authorization in Qt before 5.15.17, 6.x before 6.2.13, 6.3.x through 6.5.x before 6.5.6, and 6.6.x through 6.7.x before 6.7.1 uses only the time to seed the PRNG, which may result in guessable values.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1110 Brute Force Credential Access
Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained.
Why these techniques?

Poor PRNG seeding using only time in Qt's OAuth implementation produces guessable values for nonces, state parameters, or tokens, enabling brute force guessing in authentication flows.

Affected Assets

qt
qt
≤ 5.15.17 · 6.0.0 — 6.2.13 · 6.3.0 — 6.5.6
fedoraproject
fedora
39, 40

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References