CVE-2025-4211 | Improper Link Resolution Before File Access in QFileSystemEngine on Windows

Improper Link Resolution Before File Access ('Link Following') vulnerability in QFileSystemEngine in the Qt corelib module on Windows which potentially allows Symlink Attacks and the use of Malicious Files. Issue originates from CVE-2024-38081. The vulnerability arises from the use of the GetTempPath API, which can be exploited by attackers to manipulate temporary file paths, potentially leading to unauthorized access and privilege escalation. The affected public API in the Qt Framework is QDir::tempPath() and anything that uses it, such as QStandardPaths with TempLocation, QTemporaryDir, and QTemporaryFile.This issue affects all version of Qt up to and including 5.15.18, from 6.0.0 through 6.5.8, from 6.6.0 through 6.8.1. It is fixed in Qt 5.15.19, Qt 6.5.9, Qt 6.8.2, 6.9.0

Published: 2025-05-16 Last update: 2026-04-15 Assigner: a59d8014-47c4-4630-ab43-e1b13cbe58e3 Source: a59d8014-47c4-4630-ab43-e1b13cbe58e3
NVD Status:DeferredCVE State: published
View at NVD, CVE.org, EUVD

CVE-2025-4211 is rated Moderate Risk (42.2/100): CVSS High severity, with low exploitation likelihood (EPSS 0.16%). Review affected assets and schedule remediation.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Exploit prediction scoring system (EPSS) score for CVE-2025-4211

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2026-03-12 0.05% 0.16% +0.11%
2 2026-01-30 0.04% 0.05% +0.02%
3 2025-11-21 0.04%

Full EPSS history (5 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2025-4211

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
7.3 4.0 HIGH
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:X/R:X/V:X/RE:X/U:X Click to expand
Attack vector (AV:L)
Attacker needs local access on the target system.
Attack complexity (AC:L)
Exploitation conditions are straightforward and stable.
Attack requirements (AT:P)
Additional preconditions must be present for exploitation.
Privileges required (PR:L)
Low privileges are required.
User interaction (UI:P)
A user has to participate (for example click/open/approve).
Vulnerable system confidentiality impact (VC:H)
High confidentiality impact on the vulnerable system.
Vulnerable system integrity impact (VI:H)
High integrity impact on the vulnerable system.
Vulnerable system availability impact (VA:H)
High availability impact on the vulnerable system.
Subsequent system confidentiality impact (SC:H)
High confidentiality impact on subsequent systems.
Subsequent system integrity impact (SI:H)
High integrity impact on subsequent systems.
Subsequent system availability impact (SA:H)
High availability impact on subsequent systems.
Exploit maturity (threat) (E:X)
Not defined: no reliable threat intelligence; scoring assumes the worst case (equivalent to Attacked).
Confidentiality requirement (CR:X)
Not defined: insufficient information; scoring treats this like High (worst case).
Integrity requirement (IR:X)
Not defined: insufficient information; scoring treats this like High (worst case).
Availability requirement (AR:X)
Not defined: insufficient information; scoring treats this like High (worst case).
Modified attack vector (MAV:X)
Not defined: scoring uses the Base Attack Vector (AV).
Modified attack complexity (MAC:X)
Not defined: scoring uses the Base Attack Complexity (AC).
Modified attack requirements (MAT:X)
Not defined: scoring uses the Base Attack Requirements (AT).
Modified privileges required (MPR:X)
Not defined: scoring uses the Base Privileges Required (PR).
Modified user interaction (MUI:X)
Not defined: scoring uses the Base User Interaction (UI).
Modified vulnerable system confidentiality impact (MVC:X)
Not defined: scoring uses the Base VC metric.
Modified vulnerable system integrity impact (MVI:X)
Not defined: scoring uses the Base VI metric.
Modified vulnerable system availability impact (MVA:X)
Not defined: scoring uses the Base VA metric.
Modified subsequent system confidentiality impact (MSC:X)
Not defined: scoring uses the Base SC metric.
Modified subsequent system integrity impact (MSI:X)
Not defined: scoring uses the Base SI metric.
Modified subsequent system availability impact (MSA:X)
Not defined: scoring uses the Base SA metric.
Safety (supplemental) (S:P)
Present: impact meets IEC 61508 marginal, critical, or catastrophic safety consequence levels.
Automatable (supplemental) (AU:X)
Not evaluated.
Recovery (supplemental) (R:X)
Not evaluated.
Value density (supplemental) (V:X)
Not evaluated.
Vulnerability response effort (supplemental) (RE:X)
Not evaluated.
Provider urgency (supplemental) (U:X)
Not evaluated.
 a59d8014-47c4-4630-ab43-e1b13cbe58e3

Weakness enumeration for CVE-2025-4211

OS Trackers for CVE-2025-4211

vendor priority summary link
debian unimportant CVE-2025-4211 unimportant priority: Debian including 3 source packages (qt6-base, qtbase-opensource-src, qtbase-opensource-src-gles), 14 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 14. https://security-tracker.debian.org/tracker/CVE-2025-4211
redhat high https://access.redhat.com/security/cve/CVE-2025-4211
ubuntu medium CVE-2025-4211 medium priority: Ubuntu including 3 source packages (qt6-base, qtbase-opensource-src, qtbase-opensource-src-gles), 24 status rows across 9 suites (bionic, focal, jammy, noble, oracular, plucky, questing, upstream, xenial): ignored 12, needs-triage 8, not-affected 3, DNE 1. https://ubuntu.com/security/CVE-2025-4211

Affected software / configurations for CVE-2025-4211

Vendor Product Version Raw CPE
No affected products in dataset.

References for CVE-2025-4211

cvelogic Threat Intelligence