{"id":"CVE-2024-39936","details":"An issue was discovered in HTTP2 in Qt before 5.15.18, 6.x before 6.2.13, 6.3.x through 6.5.x before 6.5.7, and 6.6.x through 6.7.x before 6.7.3. Code to make security-relevant decisions about an established connection may execute too early, because the encrypted() signal has not yet been emitted and processed..","modified":"2026-04-11T00:18:22.786402Z","published":"2024-07-04T21:15:10.180Z","related":["ALSA-2024:4617","ALSA-2024:4623","MGASA-2025-0046","SUSE-SU-2024:2873-1","SUSE-SU-2024:2875-1","SUSE-SU-2024:2882-1","SUSE-SU-2024:2883-1","SUSE-SU-2024:2890-1","SUSE-SU-2024:2946-1","openSUSE-SU-2024:14114-1","openSUSE-SU-2024:14215-1"],"references":[{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/11/msg00031.html"},{"type":"ADVISORY","url":"https://codereview.qt-project.org/c/qt/qtbase/+/571601"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/qt/qtbase","events":[{"introduced":"0"},{"fixed":"49adb85d34918034e0d6a4c23817407103fb9f73"},{"introduced":"fc9cda5f08ac848e88f63dd4a07c08b2fbc6bf17"},{"fixed":"8c8e225029a8c1982e04a4a5e3d62f08e84e3d15"},{"introduced":"9554d315aa74eaba1726405ee09117e2ebc6111f"},{"fixed":"fc0e66eefe3a08428ca4a6e92c66f37ac126d3c4"},{"introduced":"33f5e985e480283bb0ca9dea5f82643e825ba87c"},{"fixed":"92b685784960eea6eb353688cf0edeb94d69c6cd"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"5.15.18"},{"introduced":"6.0.0"},{"fixed":"6.2.13"},{"introduced":"6.3.0"},{"fixed":"6.5.7"},{"introduced":"6.6.0"},{"fixed":"6.7.3"}]}}],"versions":["v5.0.0-beta1","v5.0.0-beta2","v5.15.0-alpha1","v5.15.0-beta1","v5.15.0-beta2","v5.15.0-beta3","v5.15.0-beta4","v5.15.10-lts-lgpl","v5.15.11-lts-lgpl","v5.15.12-lts-lgpl","v5.15.13-lts-lgpl","v5.15.14-lts-lgpl","v5.15.15-lts-lgpl","v5.15.16-lts-lgpl","v5.15.3-lts-lgpl","v5.15.4-lts-lgpl","v5.15.5-lts-lgpl","v5.15.6-lts-lgpl","v5.15.7-lts-lgpl","v5.15.8-lts-lgpl","v5.15.9-lts-lgpl","v6.0.0-alpha1","v6.0.0-beta1","v6.0.0-beta2","v6.0.0-beta3","v6.0.0-beta4","v6.0.0-beta5","v6.2.0-alpha1","v6.2.0-beta1","v6.2.0-beta2","v6.2.0-beta3","v6.2.0-beta4","v6.2.10-lts-lgpl","v6.2.11-lts-lgpl","v6.2.12-lts-lgpl","v6.2.5-lts-lgpl","v6.2.6-lts-lgpl","v6.2.7-lts-lgpl","v6.2.8-lts-lgpl","v6.2.9-lts-lgpl","v6.5.0-beta1","v6.5.0-beta2","v6.5.0-beta3","v6.5.4-lts-lgpl","v6.5.6-lts-lgpl","v6.7.0-beta1","v6.7.0-beta2","v6.7.0-beta3"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-39936.json","vanir_signatures_modified":"2026-04-11T00:18:22Z","vanir_signatures":[{"source":"https://github.com/qt/qtbase/commit/92b685784960eea6eb353688cf0edeb94d69c6cd","deprecated":false,"digest":{"length":3602,"function_hash":"297594887767442272234953710013872217385"},"target":{"file":"src/3rdparty/libjpeg/src/jdapistd.c","function":"_jpeg_skip_scanlines"},"signature_version":"v1","signature_type":"Function","id":"CVE-2024-39936-2e029142"},{"source":"https://github.com/qt/qtbase/commit/92b685784960eea6eb353688cf0edeb94d69c6cd","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["238812358178134258348402339491393942744","65021909418872283462016070950310730604","281859048662224521985812577235565326302","286842166552504723994853808858585427421","105989373357661859489910015817648890689","248717183327682656008043478815848377899","262880095834214793998682684906262431669","150635852381833268752458734701239366211","70896513694721530951139813582053314188"]},"target":{"file":"src/3rdparty/libjpeg/src/jdapistd.c"},"signature_version":"v1","signature_type":"Line","id":"CVE-2024-39936-30bb05b4"},{"source":"https://github.com/qt/qtbase/commit/92b685784960eea6eb353688cf0edeb94d69c6cd","deprecated":false,"digest":{"length":1716,"function_hash":"171666054930286118321257300496342823173"},"target":{"file":"src/3rdparty/libjpeg/src/jcphuff.c","function":"encode_mcu_AC_first"},"signature_version":"v1","signature_type":"Function","id":"CVE-2024-39936-4bd5b552"},{"source":"https://github.com/qt/qtbase/commit/92b685784960eea6eb353688cf0edeb94d69c6cd","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["282271705919220662797317301953562217210","26354801347968419450462874614737305076","121448180855004584010038074524035003838","171877027560841729265860058532867137992","150037881264369561876825616417169450961","300181338973449275970315300801237141492","220502051796372030677109761646319934852","171877027560841729265860058532867137992","319836103987847772261625489613057113856"]},"target":{"file":"src/3rdparty/libjpeg/src/jmemnobs.c"},"signature_version":"v1","signature_type":"Line","id":"CVE-2024-39936-6a913096"},{"source":"https://github.com/qt/qtbase/commit/92b685784960eea6eb353688cf0edeb94d69c6cd","deprecated":false,"digest":{"length":1873,"function_hash":"225691331049317106882581261176048708909"},"target":{"file":"src/3rdparty/libjpeg/src/jdmarker.c","function":"save_marker"},"signature_version":"v1","signature_type":"Function","id":"CVE-2024-39936-7e2649bc"},{"source":"https://github.com/qt/qtbase/commit/92b685784960eea6eb353688cf0edeb94d69c6cd","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["86891332643807965807444811923206745291","170019315699302020184204478133416483597","317909979623887872167233895087085373461"]},"target":{"file":"src/3rdparty/libjpeg/src/jchuff.c"},"signature_version":"v1","signature_type":"Line","id":"CVE-2024-39936-7e26a850"},{"source":"https://github.com/qt/qtbase/commit/92b685784960eea6eb353688cf0edeb94d69c6cd","deprecated":false,"digest":{"length":2438,"function_hash":"120629277169633982242690646483688813814"},"target":{"file":"src/3rdparty/libjpeg/src/jdapistd.c","function":"_jpeg_crop_scanline"},"signature_version":"v1","signature_type":"Function","id":"CVE-2024-39936-7f3ddb5f"},{"source":"https://github.com/qt/qtbase/commit/92b685784960eea6eb353688cf0edeb94d69c6cd","deprecated":false,"digest":{"length":1847,"function_hash":"174590571016291036914804854964422047859"},"target":{"file":"src/3rdparty/libjpeg/src/jcphuff.c","function":"encode_mcu_AC_refine"},"signature_version":"v1","signature_type":"Function","id":"CVE-2024-39936-95c4ff74"},{"source":"https://github.com/qt/qtbase/commit/92b685784960eea6eb353688cf0edeb94d69c6cd","deprecated":false,"digest":{"length":1771,"function_hash":"310957850098035546516130821996946822070"},"target":{"file":"src/3rdparty/libjpeg/src/jdmarker.c","function":"get_sof"},"signature_version":"v1","signature_type":"Function","id":"CVE-2024-39936-a7fa1a05"},{"source":"https://github.com/qt/qtbase/commit/92b685784960eea6eb353688cf0edeb94d69c6cd","deprecated":false,"digest":{"length":364,"function_hash":"126253469987247160605116429180815017523"},"target":{"file":"src/3rdparty/libjpeg/src/jcomapi.c","function":"jpeg_abort"},"signature_version":"v1","signature_type":"Function","id":"CVE-2024-39936-aff347fb"},{"source":"https://github.com/qt/qtbase/commit/92b685784960eea6eb353688cf0edeb94d69c6cd","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["75455869277611418914614959630974876406","243175196749763967234642741750043613100","21710536031753962687661373946722612882","98169982617924137934735667447262952962","247133728735013742670172731908185260225","5702256517840662419395978215990308436","147658319126284880460410923713024667270","328667933812664049325355441762668269728"]},"target":{"file":"src/3rdparty/libjpeg/src/jpegint.h"},"signature_version":"v1","signature_type":"Line","id":"CVE-2024-39936-b7328db0"},{"source":"https://github.com/qt/qtbase/commit/92b685784960eea6eb353688cf0edeb94d69c6cd","deprecated":false,"digest":{"length":1686,"function_hash":"116792800950565794731693741766954361280"},"target":{"file":"src/3rdparty/libjpeg/src/jcmaster.c","function":"jinit_c_master_control"},"signature_version":"v1","signature_type":"Function","id":"CVE-2024-39936-c2f925de"},{"source":"https://github.com/qt/qtbase/commit/92b685784960eea6eb353688cf0edeb94d69c6cd","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["155181600771589220044399818623914628812","175522640684176832842224937218734827512","11199357094457896743020596337394234841","325633496200158301648971895592423869978"]},"target":{"file":"src/3rdparty/libjpeg/src/jcparam.c"},"signature_version":"v1","signature_type":"Line","id":"CVE-2024-39936-c3b79787"},{"source":"https://github.com/qt/qtbase/commit/92b685784960eea6eb353688cf0edeb94d69c6cd","deprecated":false,"digest":{"length":250,"function_hash":"242105973936000741376676343751265081177"},"target":{"file":"src/3rdparty/libjpeg/src/jchuff.c","function":"encode_one_block_simd"},"signature_version":"v1","signature_type":"Function","id":"CVE-2024-39936-cc3913da"},{"source":"https://github.com/qt/qtbase/commit/92b685784960eea6eb353688cf0edeb94d69c6cd","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["302884232758301730968022407404771432158","49317775225756221646264614877824123176","45589192693632696636085060402579746071","35384128077787820148826174798084727981","97988047487540332933963559917935396560","253186434447164529744763168940616558059","105122674525832142031539380152109635528","198193026461570310569226057442411103761","141222646611143444325146619650731631046","129705008597883571547080687423427338032","163067573093291491736463742390665117724","116662240200564630782194742891620402565","301429435530148583368016762475045066108","319392501251850572031089376699083262275","128517556116934408925292649810112310831","154897486283229669533782148258761294483","181296038309001628089732708770686442373","529331994227905293330925025857890284","172408687813032237706757868563829142167"]},"target":{"file":"src/3rdparty/libjpeg/src/jdmarker.c"},"signature_version":"v1","signature_type":"Line","id":"CVE-2024-39936-cd4e58be"},{"source":"https://github.com/qt/qtbase/commit/92b685784960eea6eb353688cf0edeb94d69c6cd","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["333269402802645106063316925667459722265","102742791048883488537179219822252552469","14423033516855330476893821920008694249","187738562626945295431325883379031742778","61954048364348906084719228146943859077","223689068946411398329986270536965467576","108355238396913764791620047959811961483","173000129412825813869459143952277512875","194926026220282121577396968966033378919","196098982761775612093659041087098055009","64845845534642826960635715080887602682","299840145278724710675411461908022439575","86923588557925156047558937764899305064","256830621984917240702187173136627878623","263232712996669396383161278143423543938","288036106132651775767668184853843089932","126156336885997469148969269204512900849"]},"target":{"file":"src/3rdparty/libjpeg/src/jcmaster.c"},"signature_version":"v1","signature_type":"Line","id":"CVE-2024-39936-dd034bbd"},{"source":"https://github.com/qt/qtbase/commit/92b685784960eea6eb353688cf0edeb94d69c6cd","deprecated":false,"digest":{"length":1286,"function_hash":"8667423670976454694850310049638336778"},"target":{"file":"src/3rdparty/libjpeg/src/jcparam.c","function":"jpeg_set_defaults"},"signature_version":"v1","signature_type":"Function","id":"CVE-2024-39936-e446de86"},{"source":"https://github.com/qt/qtbase/commit/92b685784960eea6eb353688cf0edeb94d69c6cd","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["205732786092169560953190835866449909816","157068406392521283438239908625514759915","95591474764287435303817237325523574084","148253672425901493956109828592924006982","33395593745310535341403424012224345905"]},"target":{"file":"src/3rdparty/libjpeg/src/jcomapi.c"},"signature_version":"v1","signature_type":"Line","id":"CVE-2024-39936-e8047157"},{"source":"https://github.com/qt/qtbase/commit/92b685784960eea6eb353688cf0edeb94d69c6cd","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["235840524353470660703021357099231911180","96125709060957891697661255107417909062","1696369940499669501010694837610410559","118012788675233929237317989210792820590","181329525160450290875915559275620971127","218918902511246631684401247401875122747"]},"target":{"file":"src/3rdparty/libjpeg/src/jcphuff.c"},"signature_version":"v1","signature_type":"Line","id":"CVE-2024-39936-f27572c1"}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"}]}