matrix-rust-sdk, Denial-of-Service, CVE-2025-43278 (Low)

Listen to this Post

The vulnerability exists within the `normalized_power_level()` method. This method is designed to convert a user’s raw power level, a 64-bit signed integer (i64), into a normalized value between 0 and 100. The calculation involves comparing the user’s level to the room’s maximum power level. The panic occurs due to an arithmetic underflow when the provided user power level is the smallest possible value for an i64, `-9,223,372,036,854,775,808` (i64::MIN). Specifically, the method attempts to compute i64::MIN.abs(), but because the absolute value of `i64::MIN` is greater than i64::MAX, this operation overflows and causes a panic, abruptly terminating the application thread.
Platform: matrix-rust-sdk
Version: <0.14.1
Vulnerability: DoS
Severity: Low

date: 2025-09-11

Prediction: 2025-09-18

What Undercode Say:

cargo audit
cargo update -p matrix-sdk-base
// Code triggering the panic
let bad_power_level = i64::MIN;
let _ = member.normalized_power_level();

How Exploit:

Malicious server sends `i64::MIN` as a user’s power level in a sync response or state event.

Protection from this CVE:

Upgrade to matrix-sdk-base >=0.14.1.

Impact:

Local application crash (Denial-of-Service).

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top