CVE-2025-5991 is a Use After Free (UAF) vulnerability identified in the Qt framework, specifically within the QHttp2ProtocolHandler component of the QtNetwork module. This vulnerability affects only Qt version 6.9.0 and pertains exclusively to HTTP/2 protocol handling; HTTP/1.x handling remains unaffected. The root cause is a race condition between the QHttp2Stream's process of uploading the body of a POST request and the concurrent handling of HTTP error responses. This race condition can lead to the premature freeing of memory that is still in use, resulting in a Use After Free scenario. Exploiting this vulnerability could potentially allow an attacker to cause application crashes or execute arbitrary code, depending on how the freed memory is manipulated. However, the CVSS 4.0 score assigned is 2.1, indicating a low severity level, primarily due to the requirement for local access (AV:L), high attack complexity (AC:H), and no privileges or user interaction needed. The vulnerability was fixed in Qt version 6.9.1, and no known exploits are currently reported in the wild. The vulnerability is classified under CWE-416, which covers Use After Free errors, a common memory corruption issue that can lead to serious security implications if exploited successfully.

For European organizations, the impact of CVE-2025-5991 is generally low but should not be disregarded. Qt is widely used in various applications, including embedded systems, industrial control software, and cross-platform desktop applications. Organizations relying on Qt 6.9.0 for software that handles HTTP/2 traffic could face risks of application instability or potential exploitation if attackers can trigger the race condition. Although the vulnerability requires local access and has high attack complexity, targeted attacks in sensitive environments—such as critical infrastructure, manufacturing, or telecommunications—could leverage this flaw to disrupt services or gain a foothold for further exploitation. The low CVSS score suggests limited immediate risk, but the presence of a Use After Free bug always warrants attention due to the potential for escalation if combined with other vulnerabilities. European organizations should assess their use of Qt 6.9.0, especially in network-facing applications that process HTTP/2 requests, to avoid unexpected downtime or security breaches.

1. Immediate upgrade to Qt version 6.9.1 or later, where the vulnerability has been patched, is the most effective mitigation. 2. Conduct an inventory of all applications and systems using Qt 6.9.0, focusing on those that handle HTTP/2 traffic, and prioritize patching or replacement. 3. Implement strict access controls to limit local access to systems running vulnerable Qt versions, reducing the risk of exploitation. 4. Employ runtime protections such as memory corruption mitigations (e.g., ASLR, DEP) to reduce the impact of Use After Free vulnerabilities. 5. Monitor application logs and network traffic for unusual POST request patterns or HTTP error responses that could indicate attempts to trigger the race condition. 6. For embedded or legacy systems where upgrading Qt is not immediately feasible, consider disabling HTTP/2 support if possible or isolating affected systems from untrusted networks. 7. Maintain up-to-date threat intelligence feeds to detect any emerging exploits targeting this vulnerability.