13 Sep 2021 [security]

Internal audit uncovers critical encryption vulnerability in multiple Matrix clients

A critical implementation bug1 was discovered in Matrix2 clients and SDK’s that use E2EE (end-to-end encryption), after an internal audit that was conducted by Denis Kasak, an internal researcher at Element3.

Known vulerable software that has been affected:

The recommended action is to immediately upgrade your software:

Patched versions of affected clients are available now; please upgrade as soon as possible — we apologise sincerely for the inconvenience.

The bug was discovered 3 weeks ago and the public was notified today:

For an extended timeline of events and more in-depth analysis you can visit Element’s blog page4.

  1. https://cve.circl.lu/cve/CVE-2021-40823, https://cve.circl.lu/cve/CVE-2021-40824 

  2. https://matrix.org/ 

  3. https://element.io/ 

  4. https://matrix.org/blog/2021/09/13/vulnerability-disclosure-key-sharing