CVE-2025-27606

Published: Mar 14, 2025

Modified: Mar 14, 2025

PUBLISHED

CVSS v3.1

5.1

MEDIUM

Description

Element Android is an Android Matrix Client provided by Element. Element Android up to version 1.6.32 can, under certain circumstances, fail to logout the user if they input the wrong PIN more than the configured amount of times. An attacker with physical access to a device can exploit this to guess the PIN. Version 1.6.34 solves the issue.

Vendor	Product	Versions
element-hq	element-android	affected `< 1.6.34`

Weaknesses (CWE)

CWE-488

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

None

References

https://github.com/element-hq/element-android/security/advisories/GHSA-632v-9pm3-m8ch

x_refsource_CONFIRM

https://github.com/element-hq/element-android/commit/53bd78b05de375c6e6b0b5aa794a56b4ba95984c

x_refsource_MISC

https://github.com/element-hq/element-android/commit/87d7fcdc8036a4db4da8c403f87c73a64a546304

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2025-27606

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References