CVE-2025-66270
Publication date 27 November 2025
Last updated 10 December 2025
Ubuntu priority
Description
The KDE Connect protocol 8 before 2025-11-28 does not correlate device IDs across two packets. This affects KDE Connect before 25.12 on desktop, KDE Connect before 0.5.4 on iOS, KDE Connect before 1.34.4 on Android, GSConnect before 68, and Valent before 1.0.0.alpha.49.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| kdeconnect | 25.10 questing |
Fixed 25.08.1-0ubuntu2.1
|
| 25.04 plucky |
Not affected
|
|
| 24.04 LTS noble |
Not affected
|
|
| 22.04 LTS jammy |
Not affected
|
|
| 20.04 LTS focal |
Not affected
|
|
| 18.04 LTS bionic |
Not affected
|
|
| 16.04 LTS xenial |
Not affected
|
|
| gnome-shell-extension-gsconnect | 25.10 questing |
Vulnerable
|
| 25.04 plucky |
Vulnerable
|
|
| 24.04 LTS noble |
Not affected
|
|
| 22.04 LTS jammy |
Not affected
|
|
| 20.04 LTS focal |
Not affected
|
Patch details
| Package | Patch details |
|---|---|
| kdeconnect |
|
| gnome-shell-extension-gsconnect |
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
4.7 · Medium
|
| Attack vector | Adjacent |
| Attack complexity | High |
| Privileges required | None |
| User interaction | None |
| Scope | Changed |
| Confidentiality | Low |
| Integrity impact | Low |
| Availability impact | None |
| Vector | CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N |
References
Related Ubuntu Security Notices (USN)
- USN-7905-1
- KDE Connect vulnerability
- 3 December 2025