CVE-2021-40824

5.9 MEDIUM

A logic error in the room key sharing functionality of Element Android before 1.2.2 and matrix-android-sdk2 (aka Matrix SDK for Android) ...

Published: 2021-09-13 · Last updated: 2026-06-17

Severity and scoring

CVSS: 5.9 MEDIUM
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-290

Affected products

Vendor	Product
matrix	element, matrix-android-sdk2

Description

A logic error in the room key sharing functionality of Element Android before 1.2.2 and matrix-android-sdk2 (aka Matrix SDK for Android) before 1.2.2 allows a malicious Matrix homeserver present in an encrypted room to steal room encryption keys (via crafted Matrix protocol messages) that were originally sent by affected Matrix clients participating in that room. This allows the attacker to decrypt end-to-end encrypted messages sent by affected clients.

Source: NVD

References

Related CVEs

Same vendor

CVE-2021-40823 — A logic error in the room key sharing functionality of matrix-js-sdk (aka Matrix Javascript SDK) before 12.4.1 allows a malicious Matrix ... (5.9 MEDIUM)
CVE-2021-39164 — Matrix is an ecosystem for open federated Instant Messaging and Voice over IP (3.1 LOW)
CVE-2021-39163 — Matrix is an ecosystem for open federated Instant Messaging and Voice over IP (3.1 LOW)

Same CWE

CVE-2026-53857 — OpenClaw before 2026.5.3 contains a policy enforcement vulnerability where Zalo contacts with mutable display metadata could match allowF... (8.1 HIGH)
CVE-2026-53849 — OpenClaw before 2026.5.7 contains a privilege escalation vulnerability where the allowFrom feature improperly validates Discord account i... (8.1 HIGH)
CVE-2026-42662 — Unauthenticated Bypass Vulnerability in Event Tickets <= 5.27.5 versions (6.5 MEDIUM)
CVE-2026-27089 — Unauthenticated Bypass Vulnerability in WpTravelly <= 2.1.7 versions (7.5 HIGH)
CVE-2026-36537 — ThingsBoard v4.3.0.1 is vulnerable to an authentication bypass during the OAuth authorization code exchange (9.8 CRITICAL)