#VU107602 Input validation error in KDE Connect Android - CVE-2025-32899

Cybersecurity Help s.r.o.

Published: 2025-04-18

Vulnerability identifier: #VU107602

Vulnerability risk: Medium

CVSSv4.0: 1.3 [CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2025-32899

CWE-ID: CWE-20

Exploitation vector: Local network

Exploit availability: No

Vulnerable software:
KDE Connect Android
Mobile applications / Apps for mobile phones

Vendor: KDE.org

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to the way the application handles broadcast UDP packets. When receiving an invalid discovery UDP packet the application tries unpairing the device that sent the packet. A remote attacker can send malformed UDP packets and disrupt network connectivity.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

KDE Connect Android: 0.1 - 1.32.11

External links
https://kde.org/info/security/advisory-20250418-1.txt

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in KDE Connect apps