In a recent advisory, Qt disclosed a vulnerability in the implementation of the http/2 protocol in the library. The vulnerability, identified as cve-2023-51714, allows for data recording outside the allocated buffer. This vulnerability stems from an integer overflow in the parsing code of packed headings (HPACK). It becomes apparent when the library receives more than 4 GB of total data of HTTP headers, or 2 GB for a single header.
The issue has been addressed in the latest updates of Qt. The Qt team has released patches in the versions Qt 5.15.17, 6.2.11, and 6.5.4.4.4.4.4.4.4.4.4.4.4.4.4.4.4.4.4 and 6.6.2.
To learn more about the vulnerability, refer to the official blog post. Additionally, you can find detailed information about the fix and changes in the code on the Qt Project Code Review.