Overview
CVE-2025-32899 describes a medium severity vulnerability affecting KDE Connect versions prior to 1.33.0 on Android. This flaw allows an attacker to craft a malicious network packet that, when received by a paired KDE Connect device, forces the device to unpair from its connected partner. This vulnerability is triggered by a specially crafted discovery packet sent over broadcast UDP.
Technical Details
The vulnerability resides in the KDE Connect’s discovery mechanism, which relies on UDP broadcast packets to identify and establish connections between devices. The crafted packet exploits a weakness in the parsing or validation of incoming discovery packets. Specifically, the issue involves an invalid or malformed discovery packet. Sending such a packet over UDP broadcast can trigger an unpairing event between already paired devices. The crafted packet does not require authentication and only requires network access to the target Android device.
CVSS Analysis
The Common Vulnerability Scoring System (CVSS) v3.1 score for CVE-2025-32899 is 4.3 (Medium). The CVSS vector string is AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N. This translates to:
- Attack Vector (AV): Network (N) – The attacker can exploit the vulnerability over the network.
- Attack Complexity (AC): Low (L) – The attack is easily performed.
- Privileges Required (PR): None (N) – No privileges are required to exploit the vulnerability.
- User Interaction (UI): None (N) – No user interaction is required.
- Scope (S): Unchanged (U) – The vulnerability only affects the application itself.
- Confidentiality Impact (C): None (N) – There is no impact to confidentiality.
- Integrity Impact (I): Low (L) – The attacker can modify the device’s state by forcing it to unpair.
- Availability Impact (A): None (N) – There is no impact to availability.
Possible Impact
While the CVSS score indicates a medium severity, the impact can still be disruptive. A successful attack results in the forced unpairing of devices connected via KDE Connect. This can lead to:
- Loss of Functionality: Features that rely on KDE Connect, such as sharing files, notifications, or remote control, will be interrupted.
- User Inconvenience: Users will need to manually re-pair their devices, which can be frustrating.
- Potential for Targeted Attacks: An attacker could repeatedly trigger the unpairing to disrupt a user’s workflow or potentially as part of a larger, more complex attack.
Mitigation and Patch Steps
The recommended mitigation is to upgrade to KDE Connect version 1.33.0 or later. This version contains a fix that addresses the vulnerability. Users should update their KDE Connect app through the Google Play Store or their preferred method of application updates. If an update is not immediately available, consider temporarily disabling KDE Connect or limiting its network access to trusted networks until the update can be applied.
