CVE-2020-26164

Summary

CVE	CVE-2020-26164
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2020-10-07 19:15:00 UTC
Updated	2023-01-31 21:44:00 UTC
Description	In kdeconnect-kde (aka KDE Connect) before 20.08.2, an attacker on the local network could send crafted packets that trigger use of large amounts of CPU, memory, or network connection slots, aka a Denial of Service attack.

Risk And Classification

Problem Types: CWE-400

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Kde	Kdeconnect	All	All	All	All
Application	Kde	Kdeconnect	All	All	All	All
Application	Opensuse	Backports Sle	15.0	sp1	All	All
Application	Opensuse	Backports Sle	15.0	sp2	All	All
Application	Opensuse	Backports Sle	15.0	sp1	All	All
Application	Opensuse	Backports Sle	15.0	sp2	All	All
Operating System	Opensuse	Leap	15.1	All	All	All
Operating System	Opensuse	Leap	15.2	All	All	All
Operating System	Opensuse	Leap	15.1	All	All	All
Operating System	Opensuse	Leap	15.2	All	All	All

References

Reference	Source	Link	Tags
Don't brute-force reading the socket · KDE/kdeconnect-kde@8112729 · GitHub	MISC	github.com	Patch, Third Party Advisory
Do not remember more than a few identity packets at a time · KDE/kdeconnect-kde@613899b · GitHub	MISC	github.com	Patch, Third Party Advisory
oss-security - Re: kdeconnect: CVE-2020-26164: multiple security issues in kdeconnectd network daemon	MLIST	www.openwall.com	Third Party Advisory
[security-announce] openSUSE-SU-2020:1650-1: important: Security update	SUSE	lists.opensuse.org	Mailing List, Third Party Advisory
oss-security - kdeconnect: CVE-2020-26164: multiple security issues in kdeconnectd network daemon	MLIST	www.openwall.com	Third Party Advisory
Limit number of connected sockets from unpaired devices · KDE/kdeconnect-kde@542d94a · GitHub	MISC	github.com	Patch, Third Party Advisory
KDE Connect	MISC	kdeconnect.kde.org	Product
Bug 1176268 – AUDIT-0: CVE-2020-26164: kdeconnect-kde: review of default-enabled network service in openSUSE Leap 15.2, Tumbleweed	MISC	bugzilla.suse.com	Issue Tracking, Third Party Advisory
oss-security - Re: kdeconnect: CVE-2020-26164: multiple security issues in kdeconnectd network daemon	MLIST	www.openwall.com	Third Party Advisory
[security-announce] openSUSE-SU-2020:1647-1: important: Security update	SUSE	lists.opensuse.org	Mailing List, Third Party Advisory
Limit identity packets to 8KiB · KDE/kdeconnect-kde@4fbd01a · GitHub	MISC	github.com	Patch, Third Party Advisory
oss-security - Re: kdeconnect: CVE-2020-26164: multiple security issues in kdeconnectd network daemon	MLIST	www.openwall.com
Do not let lanlink connections stay open for long without authenticating · KDE/kdeconnect-kde@024e5f2 · GitHub	MISC	github.com	Patch, Third Party Advisory
Releases · KDE/kdeconnect-kde · GitHub	MISC	github.com	Release Notes, Third Party Advisory
KDE Connect: Denial of service (GLSA 202101-16) — Gentoo security	GENTOO	security.gentoo.org
Limit the ports we try to connect to to the port range of KDE Connect · KDE/kdeconnect-kde@ce0f00f · GitHub	MISC	github.com	Patch, Third Party Advisory
kde.org/info/security/advisory-20201002-1.txt	CONFIRM	kde.org	Third Party Advisory, Vendor Advisory
[security-announce] openSUSE-SU-2020:1631-1: important: Security update	CONFIRM	lists.opensuse.org	Mailing List, Third Party Advisory
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

Legacy QID Mappings

501595 Alpine Linux Security Update for kdeconnect
690524 Free Berkeley Software Distribution (FreeBSD) Security Update for kdeconnect (c71ed065-0600-11eb-8758-e0d55e2a8bf9)