Description

An issue was discovered in HTTP2 in Qt before 5.15.18, 6.x before 6.2.13, 6.3.x through 6.5.x before 6.5.7, and 6.6.x through 6.7.x before 6.7.3. Code to make security-relevant decisions about an established connection may execute too early, because the encrypted() signal has not yet been emitted and processed..

Classification

CVE ID: CVE-2024-39936

CVSS Base Severity: HIGH

CVSS Base Score: 8.6

CVSS Vector: CVSS:3.1/AC:L/AV:N/A:N/C:H/I:N/PR:N/S:C/UI:N

Affected Products

Vendor: n/a

Product: n/a

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.08% (probability of being exploited)

EPSS Percentile: 24.8% (scored less or equal to compared to others)

EPSS Date: 2025-04-17 (when was this score calculated)

Stakeholder-Specific Vulnerability Categorization (SSVC)

SSVC Exploitation: none

SSVC Technical Impact: partial

SSVC Automatable: false

References

https://nvd.nist.gov/vuln/detail/CVE-2024-39936
https://codereview.qt-project.org/c/qt/qtbase/+/571601

Timeline