CVE-2023-38197
- Source
- https://cve.org/CVERecord?id=CVE-2023-38197
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-38197.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2023-38197
- Downstream
- Related
- Published
- 2023-07-13T00:00:00Z
- Modified
- 2026-05-09T02:58:49.977770Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- [none]
- Details
-
An issue was discovered in Qt before 5.15.15, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3. There are infinite loops in recursive entity expansion.
- Database specific
{ "cna_assigner": "mitre", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/38xxx/CVE-2023-38197.json", "unresolved_ranges": [ { "source": "DESCRIPTION", "extracted_events": [ { "fixed": "5.15.15" }, { "introduced": "6.x" }, { "fixed": "6.2.10" }, { "introduced": "6.3.x" }, { "fixed": "6.5.x" }, { "fixed": "6.5.3" } ] } ] }- References
-
- https://codereview.qt-project.org/c/qt/qtbase/+/488960
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/38xxx/CVE-2023-38197.json
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F5C3NYVJ73ITE6HUOVVHBUAGORVEJRHO/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XEGQ6DFTL2BEJMHCD5FJGI6XLWQI7UEA/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XFZORZYCMUZZFIOEZICJ7VH2BZIGY3HV/
- https://nvd.nist.gov/vuln/detail/CVE-2023-38197
- https://lists.debian.org/debian-lts-announce/2023/08/msg00028.html
- https://lists.debian.org/debian-lts-announce/2024/04/msg00027.html
Affected packages
Git / github.com/qt/qtbase
Affected ranges
- Type
- GIT
- Repo
- https://github.com/qt/qtbase
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixedIntroducedFixedIntroducedFixed
- Database specific
{ "source": "CPE_FIELD", "cpe": "cpe:2.3:a:qt:qt:*:*:*:*:*:*:*:*", "extracted_events": [ { "introduced": "0" }, { "fixed": "5.15.15" }, { "introduced": "6.0.0" }, { "fixed": "6.2.10" }, { "introduced": "6.3.0" }, { "fixed": "6.5.3" } ] }
Affected versions
v5.*
v5.0.0-beta1
v5.0.0-beta2
v5.15.0-alpha1
v5.15.0-beta1
v5.15.0-beta2
v5.15.0-beta3
v5.15.0-beta4
v5.15.10-lts-lgpl
v5.15.11-lts-lgpl
v5.15.12-lts-lgpl
v5.15.13-lts-lgpl
v5.15.14-lts-lgpl
v5.15.3-lts-lgpl
v5.15.4-lts-lgpl
v5.15.5-lts-lgpl
v5.15.6-lts-lgpl
v5.15.7-lts-lgpl
v5.15.8-lts-lgpl
v5.15.9-lts-lgpl
v6.*
v6.0.0-alpha1
v6.0.0-beta1
v6.0.0-beta2
v6.0.0-beta3
v6.0.0-beta4
v6.0.0-beta5
v6.2.0-alpha1
v6.2.0-beta1
v6.2.0-beta2
v6.2.0-beta3
v6.2.0-beta4
v6.2.5-lts-lgpl
v6.2.6-lts-lgpl
v6.2.7-lts-lgpl
v6.2.8-lts-lgpl
v6.2.9-lts-lgpl
v6.5.0-beta1
v6.5.0-beta2
v6.5.0-beta3
Database specific
source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-38197.json"
vanir_signatures
[
{
"source": "https://github.com/qt/qtbase/commit/372eaedc5b8c771c46acc4c96e91bbade4ca3624",
"signature_type": "Function",
"digest": {
"function_hash": "38259293548902737777275712752331343392",
"length": 1886.0
},
"target": {
"file": "src/corelib/itemmodels/qitemselectionmodel.cpp",
"function": "QItemSelectionModelPrivate::initModel"
},
"signature_version": "v1",
"deprecated": false,
"id": "CVE-2023-38197-13167ccd"
},
{
"source": "https://github.com/qt/qtbase/commit/372eaedc5b8c771c46acc4c96e91bbade4ca3624",
"signature_type": "Line",
"digest": {
"threshold": 0.9,
"line_hashes": [
"87361980673766272267219738812171569415",
"205524495854561398802234511811516116091",
"196697108956812034362302347937410944742",
"61748281403189272026466914579964218575",
"86554005527345536180803463393829569588",
"138972697849049708373997816242949305863",
"39658990249987524557285517040476549389",
"91037344694848986727600386580410212812",
"85752268986580132659688941271689316652",
"293640252404270675870626936474950913553",
"184571535668388517638634745445475766913",
"35388671131273319527596436102983390680",
"284303280828705192729204731703242024651",
"316507940730145078340475632468012846228"
]
},
"target": {
"file": "src/corelib/itemmodels/qitemselectionmodel.cpp"
},
"signature_version": "v1",
"deprecated": false,
"id": "CVE-2023-38197-33ee196f"
},
{
"source": "https://github.com/qt/qtbase/commit/372eaedc5b8c771c46acc4c96e91bbade4ca3624",
"signature_type": "Function",
"digest": {
"function_hash": "153772929723627036583640333571744381705",
"length": 239.0
},
"target": {
"file": "src/corelib/itemmodels/qitemselectionmodel.cpp",
"function": "QItemSelectionModelPrivate::disconnectModel"
},
"signature_version": "v1",
"deprecated": false,
"id": "CVE-2023-38197-67669c6f"
},
{
"source": "https://github.com/qt/qtbase/commit/372eaedc5b8c771c46acc4c96e91bbade4ca3624",
"signature_type": "Line",
"digest": {
"threshold": 0.9,
"line_hashes": [
"288006492465818663008628430064770650281",
"20574375947787686126921422720784265935",
"168486689155343824614617482142165887338",
"237927361158180293105380322227781034941",
"91048025042654194263877087798053120381",
"231480675520447089506303661913067745474"
]
},
"target": {
"file": "tests/auto/corelib/itemmodels/qitemselectionmodel/tst_qitemselectionmodel.cpp"
},
"signature_version": "v1",
"deprecated": false,
"id": "CVE-2023-38197-840f43c8"
}
]
vanir_signatures_modified
"2026-05-09T02:58:49Z"