{"id":"CVE-2023-38197","details":"An issue was discovered in Qt before 5.15.15, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3. There are infinite loops in recursive entity expansion.","modified":"2026-05-19T06:56:59.169135Z","published":"2023-07-13T00:00:00Z","related":["ALSA-2023:6369","ALSA-2023:6967","SUSE-SU-2023:2971-1","SUSE-SU-2023:2982-1","SUSE-SU-2023:3018-1","SUSE-SU-2023:3207-1","SUSE-SU-2023:3225-1","SUSE-SU-2023:3380-1","SUSE-SU-2023:4622-1","SUSE-SU-2025:02968-1","openSUSE-SU-2024:13079-1","openSUSE-SU-2024:13377-1"],"database_specific":{"unresolved_ranges":[{"source":"DESCRIPTION","extracted_events":[{"fixed":"5.15.15"},{"introduced":"6.x"},{"fixed":"6.2.10"},{"introduced":"6.3.x"},{"fixed":"6.5.x"},{"fixed":"6.5.3"}]}],"cna_assigner":"mitre","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/38xxx/CVE-2023-38197.json"},"references":[{"type":"WEB","url":"https://codereview.qt-project.org/c/qt/qtbase/+/488960"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/38xxx/CVE-2023-38197.json"},{"type":"ADVISORY","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F5C3NYVJ73ITE6HUOVVHBUAGORVEJRHO/"},{"type":"ADVISORY","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XEGQ6DFTL2BEJMHCD5FJGI6XLWQI7UEA/"},{"type":"ADVISORY","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XFZORZYCMUZZFIOEZICJ7VH2BZIGY3HV/"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-38197"},{"type":"ARTICLE","url":"https://lists.debian.org/debian-lts-announce/2023/08/msg00028.html"},{"type":"ARTICLE","url":"https://lists.debian.org/debian-lts-announce/2024/04/msg00027.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/qt/qt5","events":[{"introduced":"0"},{"fixed":"e4ca9dfa716e7590d1a3014c65b05ac00781f980"},{"introduced":"78410d7e8b7aafdcbb4feea3a943038c7e0a0b5f"},{"fixed":"0c6cbc73d189c662eb969025855da72eed85c2c3"},{"introduced":"1734139bf4629af593e79d247a18f8e511bf7c5e"},{"fixed":"c0f82c61815a1d503b018d61b7c931ccf0139a5c"}],"database_specific":{"source":"CPE_FIELD","extracted_events":[{"introduced":"0"},{"fixed":"5.15.15"},{"introduced":"6.0.0"},{"fixed":"6.2.10"},{"introduced":"6.3.0"},{"fixed":"6.5.3"}],"cpe":"cpe:2.3:a:qt:qt:*:*:*:*:*:*:*:*"}}],"versions":["v6.2.9-lts-lgpl","v5.15.14-lts-lgpl","v6.2.8-lts-lgpl","v5.15.13-lts-lgpl","v6.2.7-lts-lgpl","v5.15.12-lts-lgpl","v5.15.11-lts-lgpl","v6.2.6-lts-lgpl","v5.15.10-lts-lgpl","v6.2.5-lts-lgpl","v5.15.9-lts-lgpl","v5.15.8-lts-lgpl","v6.5.0-beta3","v6.5.0-beta2","v5.15.7-lts-lgpl","v6.5.0-beta1","v5.15.6-lts-lgpl","v5.15.5-lts-lgpl","v5.15.4-lts-lgpl","v5.15.3-lts-lgpl","v6.2.0-beta4","v6.2.0-beta3","v6.2.0-beta2","v6.2.0-beta1","v6.2.0-alpha1","v6.0.0-beta5","v6.0.0-beta4","v6.0.0-beta3","v6.0.0-beta2","v6.0.0-beta1","v6.0.0-alpha1","v5.15.0-beta4","v5.15.0-beta3","v5.15.0-beta2","v5.15.0-beta1","v5.15.0-alpha1","v5.0.0-beta1"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-38197.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/qt/qtbase","events":[{"introduced":"0"},{"fixed":"ca725ad9c5331a657c328bf624f2b0b713623276"},{"introduced":"fc9cda5f08ac848e88f63dd4a07c08b2fbc6bf17"},{"fixed":"017d80e12fa50c50fa6751a039d3a7c9e799f34c"},{"introduced":"9554d315aa74eaba1726405ee09117e2ebc6111f"},{"fixed":"372eaedc5b8c771c46acc4c96e91bbade4ca3624"}],"database_specific":{"source":"CPE_FIELD","extracted_events":[{"introduced":"0"},{"fixed":"5.15.15"},{"introduced":"6.0.0"},{"fixed":"6.2.10"},{"introduced":"6.3.0"},{"fixed":"6.5.3"}],"cpe":"cpe:2.3:a:qt:qt:*:*:*:*:*:*:*:*"}}],"versions":["v6.2.9-lts-lgpl","v5.15.14-lts-lgpl","v6.2.8-lts-lgpl","v5.15.13-lts-lgpl","v6.2.7-lts-lgpl","v5.15.12-lts-lgpl","v5.15.11-lts-lgpl","v6.2.6-lts-lgpl","v5.15.10-lts-lgpl","v5.15.9-lts-lgpl","v5.15.8-lts-lgpl","v6.2.5-lts-lgpl","v6.5.0-beta3","v6.5.0-beta2","v6.5.0-beta1","v5.15.7-lts-lgpl","v5.15.6-lts-lgpl","v5.15.5-lts-lgpl","v5.15.4-lts-lgpl","v5.15.3-lts-lgpl","v6.2.0-beta4","v6.2.0-beta3","v6.2.0-beta2","v6.2.0-beta1","v6.2.0-alpha1","v6.0.0-beta5","v6.0.0-beta4","v6.0.0-beta3","v6.0.0-beta2","v6.0.0-beta1","v6.0.0-alpha1","v5.15.0-beta4","v5.15.0-beta3","v5.15.0-beta2","v5.15.0-beta1","v5.15.0-alpha1","v5.0.0-beta2","v5.0.0-beta1"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-38197.json","vanir_signatures":[{"target":{"function":"QItemSelectionModelPrivate::initModel","file":"src/corelib/itemmodels/qitemselectionmodel.cpp"},"source":"https://github.com/qt/qtbase/commit/372eaedc5b8c771c46acc4c96e91bbade4ca3624","deprecated":false,"id":"CVE-2023-38197-13167ccd","signature_version":"v1","signature_type":"Function","digest":{"function_hash":"38259293548902737777275712752331343392","length":1886}},{"target":{"file":"src/corelib/itemmodels/qitemselectionmodel.cpp"},"source":"https://github.com/qt/qtbase/commit/372eaedc5b8c771c46acc4c96e91bbade4ca3624","deprecated":false,"id":"CVE-2023-38197-33ee196f","signature_version":"v1","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["87361980673766272267219738812171569415","205524495854561398802234511811516116091","196697108956812034362302347937410944742","61748281403189272026466914579964218575","86554005527345536180803463393829569588","138972697849049708373997816242949305863","39658990249987524557285517040476549389","91037344694848986727600386580410212812","85752268986580132659688941271689316652","293640252404270675870626936474950913553","184571535668388517638634745445475766913","35388671131273319527596436102983390680","284303280828705192729204731703242024651","316507940730145078340475632468012846228"]}},{"target":{"function":"QItemSelectionModelPrivate::disconnectModel","file":"src/corelib/itemmodels/qitemselectionmodel.cpp"},"source":"https://github.com/qt/qtbase/commit/372eaedc5b8c771c46acc4c96e91bbade4ca3624","deprecated":false,"id":"CVE-2023-38197-67669c6f","signature_version":"v1","signature_type":"Function","digest":{"function_hash":"153772929723627036583640333571744381705","length":239}},{"target":{"file":"tests/auto/corelib/itemmodels/qitemselectionmodel/tst_qitemselectionmodel.cpp"},"source":"https://github.com/qt/qtbase/commit/372eaedc5b8c771c46acc4c96e91bbade4ca3624","deprecated":false,"id":"CVE-2023-38197-840f43c8","signature_version":"v1","signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["288006492465818663008628430064770650281","20574375947787686126921422720784265935","168486689155343824614617482142165887338","237927361158180293105380322227781034941","91048025042654194263877087798053120381","231480675520447089506303661913067745474"]}}],"vanir_signatures_modified":"2026-05-19T06:56:59Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}