CVE-2024-36048 identifies a critical vulnerability in the QAbstractOAuth component of the Qt Network Authorization framework. Qt, a widely used cross-platform application development framework, relies on QAbstractOAuth for handling OAuth authentication flows. The vulnerability arises because the PRNG used within QAbstractOAuth is seeded solely with the current time, a predictable value. This poor seeding method (classified under CWE-335: Use of Cryptographically Weak Pseudo-Random Number Generator) allows attackers to predict the output of the PRNG, potentially enabling them to guess OAuth tokens or other cryptographic secrets generated by the component. The affected Qt versions include all releases before 5.15.17, all 6.x versions before 6.2.13, 6.3.x through 6.5.x before 6.5.6, and 6.6.x through 6.7.x before 6.7.1. Exploitation requires no privileges or user interaction and can be performed remotely, making it highly dangerous. The impact includes full compromise of confidentiality, integrity, and availability of authentication tokens, which could lead to unauthorized access, data exfiltration, and service disruption. Although no known exploits are currently reported in the wild, the high CVSS score (9.8) reflects the critical nature of this vulnerability. The lack of patch links in the provided data suggests that organizations must monitor Qt releases closely for updates addressing this issue.

For European organizations, the impact of CVE-2024-36048 is significant due to the widespread use of Qt in various sectors including automotive, industrial control systems, telecommunications, and desktop/mobile applications. Compromise of OAuth tokens can lead to unauthorized access to sensitive systems and data, potentially resulting in data breaches, intellectual property theft, and disruption of critical services. The vulnerability's ease of exploitation without authentication or user interaction increases the risk of automated attacks and large-scale exploitation campaigns. Organizations relying on Qt-based software for internal or customer-facing applications may face reputational damage and regulatory penalties under GDPR if personal data is exposed. The vulnerability also poses risks to embedded systems and IoT devices using Qt, which are prevalent in European manufacturing and smart infrastructure, potentially affecting operational technology environments.

European organizations should immediately identify all applications and systems using affected Qt versions, including embedded devices and third-party software dependencies. They must prioritize upgrading to the fixed Qt versions: 5.15.17 or later, 6.2.13 or later, 6.5.6 or later, and 6.7.1 or later as applicable. Where immediate patching is not feasible, organizations should implement compensating controls such as network segmentation to isolate vulnerable systems, enhanced monitoring for suspicious OAuth token usage, and strict access controls on systems handling OAuth authentication. Developers should audit their use of QAbstractOAuth to ensure no custom overrides weaken PRNG seeding further. Additionally, organizations should review OAuth token lifetimes and revoke potentially compromised tokens. Coordinating with software vendors and embedded device manufacturers to obtain patches or mitigations is critical. Finally, security teams should prepare incident response plans for potential exploitation scenarios involving OAuth token compromise.