#VU107601 Input validation error in KDE Connect Android - CVE-2025-32901

Cybersecurity Help s.r.o.

Published: 2025-04-18

Vulnerability identifier: #VU107601

Vulnerability risk: Low

CVSSv4.0: 1.3 [CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2025-32901

CWE-ID: CWE-20

Exploitation vector: Local network

Exploit availability: No

Vulnerable software:
KDE Connect Android
Mobile applications / Apps for mobile phones

Vendor: KDE.org

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input when handling UDP broadcasts. A remote attacker on the local network can send a specially crafted UDP broadcast packet and crash the application.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

KDE Connect Android: 0.1 - 1.32.11

External links
https://kde.org/info/security/advisory-20250418-4.txt

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in KDE Connect apps