KDE Project Security Advisory
=============================

Title:           KDE Connect Android: a packet can be crafted that causes two paired devices to unpair
Risk rating:     Important
CVE:             CVE-2025-32899
Versions:        KDE Connect Android < 1.33.0
Date:            18 April 2025

Overview
========

KDE Connect discovers other devices by sending broadcast UDP packets to the network. Before version
1.33.0, the KDE Connect Android app would handle invalid discovery packets by unpairing the device
that sent the packet. Since UDP is unauthenticated, an attacker could send a packet claiming to be
another device, causing the legitimate device to become unpaired.

CWE-1250: Improper Preservation of Consistency Between Independent Representations of Shared State

Impact
======

An attacker could cause paired devices on a network to become unpaired, forcing the user to pair
them again.

Workaround
==========

We advise you to stop KDE Connect when on untrusted networks like those on airports or conferences.

Solution
========

Update KDE Connect Android to 1.33.0 or later.

Credits
=======

Thanks to Cezar Lungu for reporting this issue.