CVE Radar Logo
CVERadar
CVE Radar Logo
CVERadar

CVE-2024-39936

High Severity
Qt
SVRS
56/100
CVSSv3
5.9/10
EPSS
0.00087/1

CVE-2024-39936 is a security vulnerability in the HTTP2 implementation within the Qt framework. This flaw affects Qt versions before 5.15.18, 6.x before 6.2.13, 6.3.x through 6.5.x before 6.5.7, and 6.6.x through 6.7.x before 6.7.3. Specifically, critical code intended to make security decisions about active connections can execute prematurely, before the encrypted() signal is emitted and processed, creating a race condition (CWE-367). The SOCRadar Vulnerability Risk Score (SVRS) for CVE-2024-39936 is 56, indicating a moderate risk. Although not immediately critical (SVRS above 80), the fact that this vulnerability is tagged as "In The Wild" elevates the concern and warrants attention. Exploitation of this vulnerability could lead to compromised connection security, potentially allowing unauthorized access or data interception. Organizations using affected Qt versions should prioritize patching to mitigate the risk.

TAGS
In The Wild
VECTOR STRING
CVSS:3.1
AV:N
AC:H
PR:N
UI:N
S:U
C:H
I:N
A:N
PUBLICATION DATE2025-03-19
LAST MODIFIED2024-07-04
Eye Icon
SOCRadar
AI Insight

Description:

CVE-2024-39936 is a vulnerability in Qt's HTTP2 implementation that allows an attacker to make security-relevant decisions about an established connection too early, before the encrypted() signal has been emitted and processed. This could allow an attacker to bypass security measures and gain access to sensitive information.

Key Insights:

  • The SVRS of 30 indicates that this vulnerability is not considered critical and does not require immediate action.
  • No known threat actors or APT groups are actively exploiting this vulnerability.
  • No active exploits have been published for this vulnerability.
  • CISA has not issued a warning for this vulnerability.

Mitigation Strategies:

  • Update to Qt version 5.15.18, 6.2.13, 6.5.7, or 6.7.3 or later.
  • Implement additional security measures, such as using a web application firewall (WAF) or intrusion detection system (IDS).
  • Monitor network traffic for suspicious activity.

Additional Information:

If users have additional queries regarding this incident, they can use the 'Ask to Analyst' feature, contact SOCRadar directly, or open a support ticket for more information if necessary.

Indicators of Compromise

No IOCs found for this CVE

Exploits

No exploits found for this CVE

Enhance Your CVE Management with SOCRadar Vulnerability Intelligence
Get comprehensive CVE details, real-time notifications, and proactive threat management all in one platform.
CREATE FREE ACCOUNT
CVE Details
Access comprehensive CVE information instantly
Real-time Tracking
Subscribe to CVEs and get instant updates
Exploit Analysis
Monitor related APT groups and threats
IOC Tracking
Analyze and track CVE-related IOCs

News

CVE-2024-39936 | Qt prior 5.15.18/6.2.13/6.5.7/6.7.3 HTTP/2 encrypted information disclosure
vuldb.com2024-07-05
CVE-2024-39936 | Qt prior 5.15.18/6.2.13/6.5.7/6.7.3 HTTP/2 encrypted information disclosure | A vulnerability, which was classified as problematic, was found in Qt. This affects the function encrypted of the component HTTP2 Handler. The manipulation leads to information disclosure. This vulnerability is uniquely identified as CVE-2024-39936. It is possible to initiate the attack remotely. There is no
cve-2024-39936
domains
urls
cves

Social Media

2️⃣ 🔐 Seguridad ante todo: detectada vulnerabilidad HTTP2 (CVE-2024-39936). Si usas XMLHTTPRequest o servicios web, mejor desactiva HTTP2 con esta clave beta: http2NotSupported = C5A39F2332858154F02E045F64F7FFF8985F4F41
1
0
0
🚨 CVE-2024-39936: Qt HTTP/2 encrypted info disclosure prior 5.15.18/6.2.13/6.5.7/6.7.3. Impact: Sensitive data exposure. Action: Upgrade affected Qt components immediately. #InfoSec #VulnAlert
0
0
1
CVE-2024-39936 An issue was discovered in HTTP2 in Qt before 5.15.18, 6.x before 6.2.13, 6.3.x through 6.5.x before 6.5.7, and 6.6.x through 6.7.x before 6.7.3. Code to make security-relevant decisions about an es... https://t.co/eqqPWKoICh
0
0
0
[CVE-2024-39936: HIGH] High-risk Qt versions below 6.7.3 have an HTTP2 security flaw where critical security decisions can execute prematurely due to unprocessed signals, posing a cyber security risk.#cybersecurity,#vulnerability https://t.co/pusCDuvM3p https://t.co/AYGjrTy3JX
0
0
0
CVE-2024-39936 An issue was discovered in HTTP2 in Qt before 5.15.18, 6.x before 6.2.13, 6.3.x through 6.5.x before 6.5.7, and 6.6.x through 6.7.x before 6.7.3. Code to make securit… https://t.co/DDXIUoG4lN
0
0
0

Affected Software

Configuration 1
TypeVendorProduct
AppQtqt

References

ReferenceLink
[email protected]https://codereview.qt-project.org/c/qt/qtbase/+/571601

CWE Details

CWE IDCWE NameDescription
CWE-367Time-of-check Time-of-use (TOCTOU) Race ConditionThe software checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. This can cause the software to perform invalid actions when the resource is in an unexpected state.

CVE Radar

Real-time CVE Intelligence & Vulnerability Management Platform

CVE Radar provides comprehensive vulnerability intelligence by monitoring CVE databases, security advisories, and threat feeds. Get instant updates on new vulnerabilities, exploit details, and mitigation strategies specific to your assets.

Get Free Vulnerability Intelligence AccessAccess real-time CVE monitoring, exploit analysis, and threat intelligence