CVE-2022-39248: CWE-322: Key Exchange without Entity Authentication in matrix-org matrix-android-sdk2
matrix-android-sdk2 is the Matrix SDK for Android. Prior to version 1.5.1, an attacker cooperating with a malicious homeserver can construct messages that legitimately appear to have come from another person, without any indication such as a grey shield. Additionally, a sophisticated attacker cooperating with a malicious homeserver could employ this vulnerability to perform a targeted attack in order to send fake to-device messages appearing to originate from another user. This can allow, for example, to inject the key backup secret during a self-verification, to make a targeted device start using a malicious key backup spoofed by the homeserver. matrix-android-sdk2 would then additionally sign such a key backup with its device key, spilling trust over to other devices trusting the matrix-android-sdk2 device. These attacks are possible due to a protocol confusion vulnerability that accepts to-device messages encrypted with Megolm instead of Olm. matrix-android-sdk2 version 1.5.1 has been modified to only accept Olm-encrypted to-device messages and to stop signing backups on a successful decryption. Out of caution, several other checks have been audited or added. This attack requires coordination between a malicious home server and an attacker, so those who trust their home servers do not need a workaround.
AI Analysis
Technical Summary
CVE-2022-39248 is a vulnerability in the matrix-android-sdk2, the Android Software Development Kit for the Matrix communication protocol, affecting versions prior to 1.5.1. The core issue is a key exchange without proper entity authentication (CWE-322), combined with improper authentication (CWE-287), which allows a malicious homeserver to impersonate other users by crafting messages that appear to originate from them without any warning indicators such as a grey shield. The vulnerability arises from a protocol confusion flaw where the SDK accepts to-device messages encrypted with the Megolm protocol instead of the intended Olm protocol. This acceptance enables an attacker, in cooperation with a malicious homeserver, to send fake to-device messages that can inject malicious key backup secrets during self-verification processes. Consequently, a targeted device may start using a malicious key backup spoofed by the attacker, which the SDK would then sign with its device key. This action effectively extends trust to the malicious key backup, potentially compromising other devices that trust the affected device. The vulnerability requires coordination between an attacker and a compromised or malicious homeserver, meaning that users who trust their homeservers are not at risk. The fix implemented in version 1.5.1 restricts to-device message acceptance strictly to Olm-encrypted messages and stops signing backups upon successful decryption. Additional checks were audited and added to mitigate the risk. No known exploits in the wild have been reported to date.
Potential Impact
For European organizations using matrix-android-sdk2 versions prior to 1.5.1, this vulnerability poses a significant risk to the confidentiality and integrity of communications. Since the Matrix protocol is used for secure messaging, the ability for a malicious homeserver to impersonate users and inject malicious key backups undermines end-to-end encryption guarantees. This could lead to unauthorized access to sensitive communications, manipulation of message contents, and compromise of cryptographic keys, potentially cascading trust to other devices and users. Organizations relying on Matrix for internal communications, especially those with strict data protection requirements under GDPR, could face data breaches and compliance violations. The attack requires a malicious or compromised homeserver, which may be more likely in federated or self-hosted environments common in Europe. The availability impact is limited, as the attack does not directly disrupt service but rather compromises trust and confidentiality. The absence of user-visible warnings increases the risk of undetected compromise. However, organizations that trust their homeservers and maintain strict server control are less exposed. Overall, the vulnerability could facilitate targeted espionage, data exfiltration, and insider threat scenarios within European enterprises and public sector entities.
Mitigation Recommendations
European organizations should immediately audit their use of matrix-android-sdk2 and upgrade all instances to version 1.5.1 or later to ensure the vulnerability is patched. For those operating or federating with external homeservers, it is critical to verify the trustworthiness and security posture of these servers to prevent malicious cooperation. Implement strict server authentication and monitoring to detect anomalous message patterns indicative of protocol confusion attacks. Disable or restrict federation with untrusted homeservers where possible. Conduct thorough key management reviews and enforce multi-factor authentication for device verification processes to reduce the risk of key injection attacks. Employ network segmentation and endpoint security controls to limit the impact of compromised devices. Additionally, organizations should monitor logs for unusual to-device message activity and consider deploying anomaly detection tools tailored to Matrix protocol traffic. User education on verifying device keys and recognizing suspicious behavior can further reduce risk. Finally, organizations should engage with the Matrix community and security advisories to stay informed about any emerging exploits or patches.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Norway, Denmark, Belgium, Switzerland
CVE-2022-39248: CWE-322: Key Exchange without Entity Authentication in matrix-org matrix-android-sdk2
Description
matrix-android-sdk2 is the Matrix SDK for Android. Prior to version 1.5.1, an attacker cooperating with a malicious homeserver can construct messages that legitimately appear to have come from another person, without any indication such as a grey shield. Additionally, a sophisticated attacker cooperating with a malicious homeserver could employ this vulnerability to perform a targeted attack in order to send fake to-device messages appearing to originate from another user. This can allow, for example, to inject the key backup secret during a self-verification, to make a targeted device start using a malicious key backup spoofed by the homeserver. matrix-android-sdk2 would then additionally sign such a key backup with its device key, spilling trust over to other devices trusting the matrix-android-sdk2 device. These attacks are possible due to a protocol confusion vulnerability that accepts to-device messages encrypted with Megolm instead of Olm. matrix-android-sdk2 version 1.5.1 has been modified to only accept Olm-encrypted to-device messages and to stop signing backups on a successful decryption. Out of caution, several other checks have been audited or added. This attack requires coordination between a malicious home server and an attacker, so those who trust their home servers do not need a workaround.
AI-Powered Analysis
Technical Analysis
CVE-2022-39248 is a vulnerability in the matrix-android-sdk2, the Android Software Development Kit for the Matrix communication protocol, affecting versions prior to 1.5.1. The core issue is a key exchange without proper entity authentication (CWE-322), combined with improper authentication (CWE-287), which allows a malicious homeserver to impersonate other users by crafting messages that appear to originate from them without any warning indicators such as a grey shield. The vulnerability arises from a protocol confusion flaw where the SDK accepts to-device messages encrypted with the Megolm protocol instead of the intended Olm protocol. This acceptance enables an attacker, in cooperation with a malicious homeserver, to send fake to-device messages that can inject malicious key backup secrets during self-verification processes. Consequently, a targeted device may start using a malicious key backup spoofed by the attacker, which the SDK would then sign with its device key. This action effectively extends trust to the malicious key backup, potentially compromising other devices that trust the affected device. The vulnerability requires coordination between an attacker and a compromised or malicious homeserver, meaning that users who trust their homeservers are not at risk. The fix implemented in version 1.5.1 restricts to-device message acceptance strictly to Olm-encrypted messages and stops signing backups upon successful decryption. Additional checks were audited and added to mitigate the risk. No known exploits in the wild have been reported to date.
Potential Impact
For European organizations using matrix-android-sdk2 versions prior to 1.5.1, this vulnerability poses a significant risk to the confidentiality and integrity of communications. Since the Matrix protocol is used for secure messaging, the ability for a malicious homeserver to impersonate users and inject malicious key backups undermines end-to-end encryption guarantees. This could lead to unauthorized access to sensitive communications, manipulation of message contents, and compromise of cryptographic keys, potentially cascading trust to other devices and users. Organizations relying on Matrix for internal communications, especially those with strict data protection requirements under GDPR, could face data breaches and compliance violations. The attack requires a malicious or compromised homeserver, which may be more likely in federated or self-hosted environments common in Europe. The availability impact is limited, as the attack does not directly disrupt service but rather compromises trust and confidentiality. The absence of user-visible warnings increases the risk of undetected compromise. However, organizations that trust their homeservers and maintain strict server control are less exposed. Overall, the vulnerability could facilitate targeted espionage, data exfiltration, and insider threat scenarios within European enterprises and public sector entities.
Mitigation Recommendations
European organizations should immediately audit their use of matrix-android-sdk2 and upgrade all instances to version 1.5.1 or later to ensure the vulnerability is patched. For those operating or federating with external homeservers, it is critical to verify the trustworthiness and security posture of these servers to prevent malicious cooperation. Implement strict server authentication and monitoring to detect anomalous message patterns indicative of protocol confusion attacks. Disable or restrict federation with untrusted homeservers where possible. Conduct thorough key management reviews and enforce multi-factor authentication for device verification processes to reduce the risk of key injection attacks. Employ network segmentation and endpoint security controls to limit the impact of compromised devices. Additionally, organizations should monitor logs for unusual to-device message activity and consider deploying anomaly detection tools tailored to Matrix protocol traffic. User education on verifying device keys and recognizing suspicious behavior can further reduce risk. Finally, organizations should engage with the Matrix community and security advisories to stay informed about any emerging exploits or patches.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2022-09-02T00:00:00.000Z
- Cisa Enriched
- true
Threat ID: 682d9845c4522896dcbf462d
Added to database: 5/21/2025, 9:09:25 AM
Last enriched: 6/22/2025, 4:21:03 PM
Last updated: 8/13/2025, 11:07:10 AM
Views: 19
Related Threats
CVE-2025-9091: Hard-coded Credentials in Tenda AC20
LowCVE-2025-9090: Command Injection in Tenda AC20
MediumCVE-2025-9092: CWE-400 Uncontrolled Resource Consumption in Legion of the Bouncy Castle Inc. Bouncy Castle for Java - BC-FJA 2.1.0
LowCVE-2025-9089: Stack-based Buffer Overflow in Tenda AC20
HighCVE-2025-9088: Stack-based Buffer Overflow in Tenda AC20
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.