Cybersecurity researcher Soatok has published a detailed analysis revealing multiple cryptographic vulnerabilities in Vodozemac, the Rust-based cryptographic library powering Matrix’s end-to-end encryption. The disclosure comes after a brief but intense review of the library’s code, which uncovered issues ranging from high-severity protocol flaws to questionable design choices.
Timeline of Disclosure
The vulnerabilities were first reported to Matrix’s security team on February 11, 2026. After a week of back-and-forth, during which Matrix’s team downplayed the severity of the issues, Soatok decided to proceed with full public disclosure on February 17, citing the project’s past failure to address similar concerns in a timely manner.
Key Vulnerabilities
1. Olm Diffie-Hellman Accepts the Identity Element (Severity: High)
The most critical flaw allows an attacker to force the shared secret in a Diffie-Hellman key exchange to be all zeros by supplying an identity element as a public key. This results in a complete loss of confidentiality, as the encryption keys become predictable.
The issue arises because the library fails to check whether the output of the Diffie-Hellman operation is “contributory,” a safeguard provided by the underlying X25519 implementation. Soatok provided a patch that adds these checks, but as of the disclosure, no official fix has been released.
2. Downgrade Attacks from V2 to V1
Vodozemac implements a “Version 2” of its encryption protocol, which uses a stronger 256-bit HMAC instead of the 64-bit HMAC used in Version 1. However, the default is still V1, and an active attacker can force a downgrade by truncating the MAC. This undermines the intended security improvements of V2.
Miscellaneous Issues
Several other issues were noted, including:
- ECIES CheckCode with only 100 possible values, making it trivial for an attacker to guess.
- Message keys silently dropped after a hardcoded limit, leading to undecryptable messages.
- Deterministic IVs in the pickle format, which can compromise semantic security.
- Fuzzing mode disables MAC and signature verification, a dangerous footgun if enabled in production.
- Strict Ed25519 verification disabled by default, requiring a feature flag to activate.
Impact
The vulnerabilities affect both Vodozemac and the older libolm library, meaning a large portion of the Matrix ecosystem is potentially at risk. Group chats and private conversations could be exposed to passive or active attackers, with no clear indication of compromise to users.
Soatok’s analysis concludes that Matrix’s cryptographic implementations continue to show a lack of expertise and rigor. Despite previous audits and disclosures, the project has failed to address fundamental issues, and the response to this latest disclosure suggests a pattern of dismissing external criticism.
Source: Soatok
