Cyber Resilience

CVE-2026-6210

High

Published: 06 May 2026

Published
06 May 2026
Modified
07 May 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0028 19.7th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-6210 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Qt Project (inferred from references). Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious Image (T1204.003); ranked at the 19.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

A type confusion vulnerability in Qt SVG allows an attacker to cause an application crash via a crafted SVG image. When processing SVG marker references, the renderer retrieves a node by its id attribute and casts it to QSvgMarker* without…

more

verifying the node type. A non-marker element (such as a <line> element) that references itself as a marker triggers an out-of-bounds heap read due to the object size difference between QSvgLine and QSvgMarker, followed by an endless recursion that bypasses the marker recursion guard through incorrect virtual dispatch. The result is an application crash (denial of service). This issue affects Qt SVG: from 6.7.0 before 6.8.8, from 6.9.0 before 6.11.1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1204.003 Malicious Image Execution
Adversaries may rely on a user running a malicious image to facilitate execution.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Crafted SVG image triggers type confusion leading to crash (T1499.004); delivered as malicious image requiring user execution (T1204.003).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

Affected Assets

Qt Project
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References