CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
EPSS
Percentile
32.6%
Prior to version 5.14, Qt hard-codes the qt_prfxpath
value to a fixed value, which may lead to privilege escalation vulnerabilities in Windows software that uses Qt.
Prior to version 5.14, Qt hard-codes the qt_prfxpath
value to a value that reflects the path where Qt exists on the system that was used to build Qt. For example, it may refer to a specific subdirectory within C:\Qt\
, which is the default installation location for Qt on Windows. If software that is built with Qt runs with privileges on a Windows system, this may allow for privilege escalation due to the fact that Windows by default allows unprivileged users to create subdirectories off of the root C:\
drive location.
In 2015, a patch was made to windeployqt to strip out any existing qt_prfxpath
value from Qt5Core.dll
. If Windows software that uses Qt prior to version 5.14 is not properly packaged using windeployqt, then it may be vulnerable to privilege escalation.
By placing a file in an appropriate location on a Windows system, an unprivileged attacker may be able to execute arbitrary code with the privileges of the software that uses Qt.
This issue is addressed in Qt 5.14. Starting with this version, Qt no longer hard-codes the qt_prfxpath
value in Qt5Core.dll
.
The windeployqt utility will replace the qt_prfxpath
value in the Qt core DLL with the value of .
, which helps prevent this path from being used to achieve privilege escalation.
This document was written by Will Dormann.
411271
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Updated: 2022-04-28 CVE-2022-26873 | Affected |
---|
We have not received a statement from the vendor.
MiniTool ShadowMaker versions 1.0 and 3.0 beta are vulnerable. ShadowMaker version 3.6 properly strips out the qt_prfxpath
variable, so it is not vulnerable.
Updated: 2022-04-28 CVE-2022-26873 | Affected |
---|
We have not received a statement from the vendor.
Qt version 5.14 and later do not have a hard-coded path stored as qt_prfxpath
. Qt versions prior to 5.14 require windeployqt to replace any hard-coded path in Qt5Core.dll
with .
, or the software that uses Qt may be vulnerable to privilege escalation on Windows.
Notified: 2022-03-23 Updated: 2022-04-28
Statement Date: April 27, 2022
CVE-2022-26873 | Affected |
---|
CVE-2022-26873 has been resolved with a binary patch to the QT library TYCHON uses. The TYCHON Endpoint version 1.7.857.82 contains the fix to this vulnerability.
CVE IDs: | CVE-2022-26873 |
---|---|
Date Public: | 2010-10-10 Date First Published: |