First published: Mon Sep 13 2021(Updated: )
A logic error in the room key sharing functionality of Element Android before 1.2.2 and matrix-android-sdk2 (aka Matrix SDK for Android) before 1.2.2 allows a malicious Matrix homeserver present in an encrypted room to steal room encryption keys (via crafted Matrix protocol messages) that were originally sent by affected Matrix clients participating in that room. This allows the attacker to decrypt end-to-end encrypted messages sent by affected clients.
Credit: cve@mitre.org cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Matrix Element | <1.2.2 | |
Matrix Matrix-android-sdk2 | <1.2.2 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2021-40824 is a vulnerability in the room key sharing functionality of Element Android and matrix-android-sdk2, allowing a malicious Matrix homeserver to steal room encryption keys.
CVE-2021-40824 affects Element Android versions before 1.2.2 and matrix-android-sdk2 versions before 1.2.2.
CVE-2021-40824 has a severity score of 5.9, which is classified as medium.
To fix CVE-2021-40824, update Element Android to version 1.2.2 or later and matrix-android-sdk2 to version 1.2.2 or later.
You can find more information about CVE-2021-40824 on the NVD website (https://nvd.nist.gov/vuln/detail/CVE-2021-40824) and the Matrix.org blog (https://matrix.org/blog/2021/09/13/vulnerability-disclosure-key-sharing).