{"id":"CVE-2023-51714","details":"An issue was discovered in the HTTP2 implementation in Qt before 5.15.17, 6.x before 6.2.11, 6.3.x through 6.5.x before 6.5.4, and 6.6.x before 6.6.2. network/access/http2/hpacktable.cpp has an incorrect HPack integer overflow check.","modified":"2026-03-20T12:33:52.402145Z","published":"2023-12-24T21:15:25.470Z","related":["ALSA-2024:2276","ALSA-2024:3056","MGASA-2025-0046","SUSE-SU-2024:0063-1","SUSE-SU-2024:0138-1","SUSE-SU-2024:2890-1","SUSE-SU-2024:2946-1","openSUSE-SU-2024:13553-1","openSUSE-SU-2024:13555-1"],"references":[{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2024/04/msg00027.html"},{"type":"FIX","url":"https://codereview.qt-project.org/c/qt/qtbase/+/524864"},{"type":"FIX","url":"https://codereview.qt-project.org/c/qt/qtbase/+/524865/3"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/qt/qtbase","events":[{"introduced":"6c1e352803a6efbd8b14e5296434e22165b65084"},{"fixed":"8e79bee4afa2a1466f360f44fb07d24e432a82a6"},{"introduced":"fc9cda5f08ac848e88f63dd4a07c08b2fbc6bf17"},{"fixed":"dee139fa5ef483113e69fa67fd61a1d752a8ff45"},{"introduced":"9554d315aa74eaba1726405ee09117e2ebc6111f"},{"fixed":"8ff0b254e4c3db81254782262d827f7831d15f6b"},{"introduced":"33f5e985e480283bb0ca9dea5f82643e825ba87c"},{"fixed":"dec1863c7dc63e5788b0c6c061d36e856a6ae2b2"}],"database_specific":{"versions":[{"introduced":"5.7"},{"fixed":"5.15.17"},{"introduced":"6.0.0"},{"fixed":"6.2.11"},{"introduced":"6.3.0"},{"fixed":"6.5.4"},{"introduced":"6.6.0"},{"fixed":"6.6.2"}]}}],"versions":["v5.10.0","v5.10.0-alpha1","v5.10.0-beta1","v5.10.0-beta2","v5.10.0-beta3","v5.10.0-beta4","v5.10.0-rc1","v5.10.0-rc2","v5.10.0-rc3","v5.10.1","v5.11.0","v5.11.0-alpha1","v5.11.0-beta1","v5.11.0-beta2","v5.11.0-beta3","v5.11.0-beta4","v5.11.0-rc1","v5.11.0-rc2","v5.11.1","v5.11.2","v5.11.3","v5.12.0","v5.12.0-alpha1","v5.12.0-beta1","v5.12.0-beta2","v5.12.0-beta3","v5.12.0-beta4","v5.12.0-rc1","v5.12.0-rc2","v5.12.1","v5.12.2","v5.12.3","v5.12.4","v5.12.5","v5.13.0","v5.13.0-alpha1","v5.13.0-beta1","v5.13.0-beta2","v5.13.0-beta3","v5.13.0-beta4","v5.13.0-rc1","v5.13.0-rc2","v5.13.0-rc3","v5.13.1","v5.13.2","v5.14.0","v5.14.0-alpha1","v5.14.0-beta1","v5.14.0-beta2","v5.14.0-beta3","v5.14.0-rc1","v5.14.0-rc2","v5.14.1","v5.14.2","v5.15.0","v5.15.0-alpha1","v5.15.0-beta1","v5.15.0-beta2","v5.15.0-beta3","v5.15.0-beta4","v5.15.0-rc1","v5.15.0-rc2","v5.15.10-lts-lgpl","v5.15.11-lts-lgpl","v5.15.12-lts-lgpl","v5.15.13-lts-lgpl","v5.15.14-lts-lgpl","v5.15.15-lts-lgpl","v5.15.16-lts-lgpl","v5.15.3-lts-lgpl","v5.15.4-lts-lgpl","v5.15.5-lts-lgpl","v5.15.6-lts-lgpl","v5.15.7-lts-lgpl","v5.15.8-lts-lgpl","v5.15.9-lts-lgpl","v5.6.2","v5.7.0","v5.7.1","v5.8.0","v5.8.0-alpha1","v5.8.0-beta1","v5.8.0-rc1","v5.9.0","v5.9.0-alpha1","v5.9.0-beta1","v5.9.0-beta2","v5.9.0-beta3","v5.9.0-beta4","v5.9.0-rc1","v5.9.0-rc2","v5.9.1","v5.9.2","v5.9.3","v5.9.4","v6.0.0-alpha1","v6.0.0-beta1","v6.0.0-beta2","v6.0.0-beta3","v6.0.0-beta4","v6.0.0-beta5","v6.2.0-alpha1","v6.2.0-beta1","v6.2.0-beta2","v6.2.0-beta3","v6.2.0-beta4","v6.2.10-lts-lgpl","v6.2.5-lts-lgpl","v6.2.6-lts-lgpl","v6.2.7-lts-lgpl","v6.2.8-lts-lgpl","v6.2.9-lts-lgpl","v6.5.0-beta1","v6.5.0-beta2","v6.5.0-beta3","v6.6.0-beta1","v6.6.0-beta2","v6.6.0-beta3","v6.6.0-beta4"],"database_specific":{"vanir_signatures":[{"id":"CVE-2023-51714-462199ff","deprecated":false,"signature_version":"v1","source":"https://github.com/qt/qtbase/commit/dec1863c7dc63e5788b0c6c061d36e856a6ae2b2","digest":{"function_hash":"7364416592394577119437940976907996060","length":735},"signature_type":"Function","target":{"function":"QKtxHandler::decodeKeyValues","file":"src/gui/util/qktxhandler.cpp"}},{"id":"CVE-2023-51714-62991e15","deprecated":false,"signature_version":"v1","source":"https://github.com/qt/qtbase/commit/dec1863c7dc63e5788b0c6c061d36e856a6ae2b2","digest":{"threshold":0.9,"line_hashes":["163025544936468673396887582351900526570","192599772146138582938962858926520246855","121204903762595879395660416776397810880","218506546214480638963447889292690177668","131206179422142810249228455466547622028","169148247452786850530522787300885566438"]},"signature_type":"Line","target":{"file":"tests/auto/gui/util/qtexturefilereader/tst_qtexturefilereader.cpp"}},{"id":"CVE-2023-51714-6ac07c49","deprecated":false,"signature_version":"v1","source":"https://github.com/qt/qtbase/commit/dec1863c7dc63e5788b0c6c061d36e856a6ae2b2","digest":{"function_hash":"60956471746684524945346742045230509622","length":192},"signature_type":"Function","target":{"function":"QKtxHandler::canRead","file":"src/gui/util/qktxhandler.cpp"}},{"id":"CVE-2023-51714-85c4da1f","deprecated":false,"signature_version":"v1","source":"https://github.com/qt/qtbase/commit/dec1863c7dc63e5788b0c6c061d36e856a6ae2b2","digest":{"threshold":0.9,"line_hashes":["326791891951963302053498062007251604819","216501027714726516523260120877272770458","272316552540469537871419769208699747618","32756698102141330989931102338427760486","329085638427952370887499885194417094983","23992358934044123184146740662218759827","111420295665237001369063300250837057494","339921958229784533062656756998393974902","320457186581665594816885113759724029589","217155106427057612529695096959215002128","132063340904007978087212222386502296766","188353106039990923234557425075788070445","8473008348859982688628834671963097431","42428422552339712291675158392287383392","118450234344262773107008053217091128207","113978529423858291344594895384995680573","19188762913395271922019310197400478496","94731894940777509700646632370358911991","206579650303715150429769429304149393109","158044226728775515387637253804320166329","294900422571405337628917297662874063906","274144141498473902106102085549854312372","96236304093679483433446031978348595400","277809073397358023385567583554632736246","283512247336100706603413140741368060152","112955549893255764185096396270281853878","93089557951267292991403958030426040967","272303951869674331560001035679443752771","99970391310837704637120259889309993960","140491642941314039424598136395132568500","82425384615181284430715866001033073399","244895088819555936231521581995418052389","286860707805905689909930365340038990419","239870289400057756564903324715151891820","205857025933664987542535830034386165813","185256357155209013487235556466228204687","313625977436023324073035698239638724524","298689686129004949388916287062787044767","257634073108725076925535315757115026244","273513797962591852547449113704351648476","116720770702985978231634603541944901376","260705184382809755010022288052788629682","209075497822928170618318771371373013112","167730221265140455077897914573806345955","262297745719240115032485584871482723758","312537045819153036586834294189931422334","90853907946704080172202977536754825739","233753438766578678551593957161454133521","171900717941769559318162075811107177176","73481453844480851765101099994755109643","223806874672977638569733942405565929788","279563880410908758317228758824101779342","59265332618951206024076635072161489916","284679932794797200761486766510381587131","6062148158586369252781625970162716544","55964092935897503430526652068475996616","241670279024805347673473354765222283401","72975930225814918375803833441984993679","58293507839107831635187045894736830875","322287645065413365969281015760476821568","91881551019884164228114603971124350767","91698441258791324708047973243870805667","75660462155697043975284469895546951126","72832898569556524298313240615759476984","196158815946406060608327729606793116348","208171843212904890205401292669084500816","298504100938338821177903776210171852460","12385753637530777424050096468058906625","220970122788446913640296160606462900808","211637163825161736622392903579643335239","156944970459392248563646670762345293807","54871384128103068577648035189243511684","316987147565135293733267095739034607580","242516089558919917119599336241103995525","41201070085319439605240516280312037260","175416545714977225076087158803894547208","324945013111721331764264708185658314428","23407635790766161537621439751219680210"]},"signature_type":"Line","target":{"file":"src/gui/util/qktxhandler.cpp"}},{"id":"CVE-2023-51714-c5e52c72","deprecated":false,"signature_version":"v1","source":"https://github.com/qt/qtbase/commit/dec1863c7dc63e5788b0c6c061d36e856a6ae2b2","digest":{"function_hash":"307336593277657630736852378315688205833","length":144},"signature_type":"Function","target":{"function":"withPadding","file":"src/gui/util/qktxhandler.cpp"}},{"id":"CVE-2023-51714-d4aa4015","deprecated":false,"signature_version":"v1","source":"https://github.com/qt/qtbase/commit/8ff0b254e4c3db81254782262d827f7831d15f6b","digest":{"function_hash":"136461757324256813282022259417379127365","length":158},"signature_type":"Function","target":{"function":"CppGenerator::copyrightHeader","file":"src/tools/qlalr/cppgenerator.cpp"}},{"id":"CVE-2023-51714-e2f100fb","deprecated":false,"signature_version":"v1","source":"https://github.com/qt/qtbase/commit/8ff0b254e4c3db81254782262d827f7831d15f6b","digest":{"threshold":0.9,"line_hashes":["19558493098812227728671165474361015392","106008374532169155072527926556305774515","188893840817205926988204630655514730863","235179633474731591380608793762610541546"]},"signature_type":"Line","target":{"file":"src/tools/qlalr/cppgenerator.cpp"}},{"id":"CVE-2023-51714-e66d7216","deprecated":false,"signature_version":"v1","source":"https://github.com/qt/qtbase/commit/dec1863c7dc63e5788b0c6c061d36e856a6ae2b2","digest":{"function_hash":"2500646054964973657236404764740378148","length":1996},"signature_type":"Function","target":{"function":"QKtxHandler::read","file":"src/gui/util/qktxhandler.cpp"}},{"id":"CVE-2023-51714-f7b1a2a7","deprecated":false,"signature_version":"v1","source":"https://github.com/qt/qtbase/commit/dec1863c7dc63e5788b0c6c061d36e856a6ae2b2","digest":{"threshold":0.9,"line_hashes":["153103572155014416452620909264860982546","293763830944613902788866577175215898927","135489548238572539311258804692019884127","15772471024379444214167190962107309446","270376144655553600952382251816304575273","229399418970970037446185672734695865297"]},"signature_type":"Line","target":{"file":"src/gui/util/qktxhandler_p.h"}}],"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"10.0"}]}],"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-51714.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}