CVE-2022-25255
Publication date 16 February 2022
Last updated 11 July 2025
Ubuntu priority
Description
In Qt 5.9.x through 5.15.x before 5.15.9 and 6.x before 6.2.4 on Linux and UNIX, QProcess could execute a binary from the current working directory when not found in the PATH.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| qt6-base | 25.10 questing |
Needs evaluation
|
| 25.04 plucky |
Needs evaluation
|
|
| 24.04 LTS noble |
Needs evaluation
|
|
| 22.04 LTS jammy |
Needs evaluation
|
|
| 16.04 LTS xenial | Ignored end of standard support | |
| 14.04 LTS trusty | Ignored end of standard support | |
| qtbase-opensource-src | 25.10 questing |
Not affected
|
| 25.04 plucky |
Not affected
|
|
| 24.04 LTS noble |
Not affected
|
|
| 22.04 LTS jammy |
Not affected
|
|
| 20.04 LTS focal |
Vulnerable
|
|
| 18.04 LTS bionic |
Not affected
|
|
| 16.04 LTS xenial |
Not affected
|
|
| 14.04 LTS trusty | Ignored end of standard support |
Notes
mdeslaur
introduced by: https://codereview.qt-project.org/gitweb?p=qt%2Fqtbase.git;a=commit;h=28666d167aa8e602c0bea25ebc4d51b55005db13 which seems to have been introduced in Qt 5.10, not 5.9 as the CVE description suggests.
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
7.8 · High
|
| Attack vector | Local |
| Attack complexity | Low |
| Privileges required | Low |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
References
Other references
- https://download.qt.io/official_releases/qt/6.2/qprocess6-2.diff
- https://codereview.qt-project.org/c/qt/qtbase/+/393113
- https://download.qt.io/official_releases/qt/5.15/qprocess5-15.diff
- https://codereview.qt-project.org/c/qt/qtbase/+/396020
- https://codereview.qt-project.org/c/qt/qtbase/+/394914
- https://www.cve.org/CVERecord?id=CVE-2022-25255