There is a "Incomplete Cleanup" problem in Qt’s Schannel handling when it is used to provide a server handling incoming TLS connections.
This has been assigned the CVE id CVE-2025-6338.
Affected versions: This issue affects only the Schannel functionality on Windows if it is turned on in Qt 5.15 and from Qt 6.2 when it is the default.
Impact: For every connection made a 4KB file is created that is not cleaned up by the application or Qt. As a result this can cause a situation where all the available disk space is consumed. It is assumed that rebooting the computer also cleans up these files as Windows does its own cleanup, but this is not confirmed.
Vulnerability Score: CVSS v4.0: 9.2
Solution: As a workaround periodic cleanup can be done in the directory - %APPDATA%\Roaming\Microsoft\Crypto\RSA\<user SID>. Alternatively apply the corresponding patch for your version or upgrade to Qt 6.5.10, 6.8.4 or 6.9.2.
6.9: https://download.qt.io/official_releases/qt/6.9/CVE-2025-5991-qtbase-6.9.patch or https://codereview.qt-project.org/c/qt/qtbase/+/653082
6.8: https://download.qt.io/official_releases/qt/6.8/CVE-2025-6338-qtbase-6.8.patch or https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/653128
6.5: https://download.qt.io/official_releases/qt/6.5/CVE-2025-6338-qtbase-6.5.patch or https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/654600
