CVE-2021-40824

Name of the Vulnerable Software and Affected Versions Element Android versions prior to 1.2.2 matrix-android-sdk2 (aka Matrix SDK for Android) versions prior to 1.2.2

Description A logic error in the room key sharing functionality allows a malicious Matrix homeserver present in an encrypted room to steal room encryption keys that were originally sent by affected Matrix clients participating in that room. This enables the attacker to decrypt end-to-end encrypted messages sent by affected clients. The issue leads to inadequate identity verification, allowing a key-requesting device to be impersonated.

Recommendations For Element Android versions prior to 1.2.2, update to version 1.2.2 or later to resolve the issue. For matrix-android-sdk2 (aka Matrix SDK for Android) versions prior to 1.2.2, update to version 1.2.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the room key sharing functionality until a patch is available.