CVE-2025-5992 is a vulnerability identified in The Qt Company's Qt framework, specifically affecting versions 6.6.0 through 6.8.3 and 6.9.0 through 6.9.1. The issue stems from improper input validation (CWE-20) in the QColorTransferGenericFunction component. When values outside the expected range are passed to this function, it can lead to a denial of service (DoS) condition. A practical exploitation vector involves supplying a specially crafted ICC (International Color Consortium) profile to the QColorSpace::fromICCProfile method, which triggers the vulnerability. This flaw allows an attacker to cause the affected application or system to crash or become unresponsive by exploiting the improper handling of color profile data. The vulnerability has been addressed and fixed in Qt versions 6.8.4 and 6.9.2. The CVSS v4.0 base score is 2.3, indicating a low severity level, primarily because the attack requires user interaction (UI:P), has high attack complexity (AC:H), and does not require privileges or authentication. There are no known exploits in the wild at this time. The vulnerability impacts the confidentiality, integrity, and availability minimally, with the primary concern being availability due to potential denial of service. The scope is limited to applications using the affected Qt versions and specifically those that process ICC profiles via the vulnerable functions. The vulnerability does not propagate beyond the vulnerable component, and no privilege escalation or code execution is indicated.

For European organizations, the impact of CVE-2025-5992 is generally limited but should not be overlooked. Qt is widely used in various software applications, including embedded systems, desktop applications, and some industrial control systems. Organizations that rely on software built with the affected Qt versions and that process ICC profiles—such as graphic design tools, printing software, or multimedia applications—may experience service disruptions if targeted. A denial of service could lead to temporary loss of availability of critical applications, potentially affecting productivity or operational continuity. While the severity is low, sectors with high availability requirements, such as healthcare, manufacturing, or transportation, could face operational challenges if the vulnerability is exploited. However, the need for user interaction and high attack complexity reduces the likelihood of widespread exploitation. The absence of known exploits in the wild further lowers immediate risk but does not eliminate the need for vigilance and patching.

European organizations should prioritize updating Qt to versions 6.8.4 or 6.9.2 or later to remediate this vulnerability. Beyond patching, organizations should implement strict input validation and sanitization for all user-supplied data, especially when handling ICC profiles or other external color profile data. Application developers should audit their use of Qt's color management APIs to ensure they do not process untrusted ICC profiles without validation. Employing application-layer sandboxing or containerization can limit the impact of potential crashes caused by malformed inputs. Monitoring application logs for crashes or unusual behavior related to color profile processing can help detect attempted exploitation. Additionally, organizations should educate users about the risks of opening untrusted files, particularly ICC profiles embedded in documents or images. For embedded or industrial systems using Qt, firmware or software updates should be tested and deployed promptly to minimize exposure.