KDE Project Security Advisory
=============================

Title:           KDE Connect Android: malicious device IDs could make KDE Connect crash
Risk rating:     Medium
CVE:             CVE-2025-32901
Versions:        KDE Connect Android < 1.33.0
Date:            18 April 2025

Overview
========

KDE Connect discovers other devices by sending broadcast UDP packets to the network. These packets
contain a device ID and display information like the device name and the device type (used to chose
a device icon). Since UDP is unauthenticated, an attacker could send a packet with an invalid device
ID, which could make KDE Connect crash when trying to save it.

CWE-1287: Improper Validation of Specified Type of Input

Impact
======

An attacker could make KDE Connect crash for devices on the network, causing a DoS attack.

Workaround
==========

We advise you to stop KDE Connect when on untrusted networks like those on airports or conferences.

Solution
========

Update KDE Connect Android to 1.33.0 or later.

Credits
=======

Thanks to Cezar Lungu for reporting this issue.