Overview
CVE-2025-55174 is a low-severity vulnerability affecting KDE Skanpage versions prior to 25.08.0. This vulnerability relates to a potential file overwrite issue where an attempted overwrite can result in a corrupted file. Instead of completely replacing the old file with the new content, the resulting file may contain the new content at the beginning followed by fragments of the original file appended to the end. This occurs because Skanpage incorrectly uses `QIODevice::ReadWrite` instead of the intended `QIODevice::WriteOnly` when writing the new file. The vulnerability was published on 2025-11-26.
Technical Details
The core of the problem lies in the improper usage of the `QIODevice::ReadWrite` flag when opening a file for writing. This flag allows both reading and writing to the file. When Skanpage attempts to overwrite an existing file, it opens the file in `ReadWrite` mode. If the new content is shorter than the old content, the remaining portion of the old file will remain intact, leading to the concatenation of the new content with the trailing remnants of the old content. The correct approach would be to use `QIODevice::WriteOnly`, which would truncate the existing file before writing the new data, ensuring a complete overwrite.
The specific commit that addresses this issue is available at this KDE Invent link.
CVSS Analysis
This vulnerability has been assigned a CVSS score of 3.2, indicating a low severity. The CVSS vector is likely something along the lines of AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N. Let’s break down the CVSS score:
- Severity: Low
- CVSS Score: 3.2
- Vector (Example): AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
- Explanation:
- AV:L (Attack Vector: Local): The attacker needs local access to exploit the vulnerability.
- AC:L (Attack Complexity: Low): The attack is relatively easy to perform.
- PR:N (Privileges Required: None): No privileges are required to perform the attack.
- UI:R (User Interaction: Required): User interaction is required for the attack to succeed (e.g., the user needs to open a specially crafted file).
- S:U (Scope: Unchanged): The vulnerability’s impact is limited to the affected component.
- C:N (Confidentiality: None): There is no impact to confidentiality.
- I:L (Integrity: Low): There is a low impact to integrity (the file is partially overwritten).
- A:N (Availability: None): There is no impact to availability.
Because user interaction is required and the impact is limited to potential data corruption in specific scenarios, the severity remains low.
Possible Impact
The impact of CVE-2025-55174 is relatively limited. The primary concern is potential data corruption when Skanpage attempts to overwrite existing files. This corruption occurs because old data is appended to the end of the new data. This could lead to unexpected behavior or errors when attempting to access or process the overwritten file. The user would likely notice the data corruption, limiting the scope of a successful attack.
Mitigation/Patch Steps
The recommended mitigation is to update to KDE Skanpage version 25.08.0 or later. This version contains the fix that corrects the file writing behavior and uses `QIODevice::WriteOnly` to ensure complete file overwrites.
You can update Skanpage through your distribution’s package manager or by downloading the latest version from the KDE website.
