CVE-2026-35049
Awaiting Analysis Awaiting Analysis - Queue
Denial of Service in Wire iOS Client

Publication date: 2026-06-02

Last updated on: 2026-06-04

Assigner: GitHub, Inc.

Description
wire-ios is an iOS client for the Wire secure messaging application. Prior to version 4.16.0, upon receiving a crafted malicious Proteus external message with an encrypted payload that is shorter than 16 bytes, the Wire iOS client crashes. The crash is triggered automatically after message receival with no user interaction. Since the malicious message persists in the conversation, the app enters a crash loop on relaunch and cannot be reopened until the local state is wiped. This issue has been fixed with version 4.16.0 which introduces the missing length check and is available via the App Store. No known workarounds are available.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-02
Last Modified
2026-06-04
Generated
2026-06-23
AI Q&A
2026-06-02
EPSS Evaluated
2026-06-21
NVD
CVE-2026-35049
EUVD
EUVD-2026-34008
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wire wire_ios to 4.16.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-191 The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result.
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability affects the Wire iOS client versions prior to 4.16.0. It occurs when the app receives a specially crafted malicious Proteus external message containing an encrypted payload that is shorter than 16 bytes. This causes the app to crash automatically without any user interaction.

Because the malicious message remains in the conversation, the app enters a crash loop every time it is relaunched, making it impossible to reopen the app until the local state is wiped or the app is reinstalled.

The root cause of this vulnerability is improper input validation leading to an integer underflow issue.

Impact Analysis

This vulnerability can cause a persistent remote denial-of-service (DoS) condition on the Wire iOS client. An attacker can send a malicious message that crashes the app automatically and causes it to enter a crash loop on every relaunch.

As a result, users will be unable to open or use the Wire iOS app until they wipe the local state or reinstall the app, leading to a significant loss of availability.

Detection Guidance

This vulnerability manifests as a persistent crash loop of the Wire iOS client upon receiving a crafted malicious Proteus external message with an encrypted payload smaller than 16 bytes.

Detection involves monitoring the Wire iOS client for repeated crashes or inability to reopen the app after receiving messages.

Since the issue is triggered by a specific type of message, network detection could focus on identifying Proteus external messages with encrypted payloads shorter than 16 bytes.

However, no specific commands or automated detection tools are provided in the available information.

Mitigation Strategies

The immediate mitigation step is to upgrade the Wire iOS client to version 4.16.0 or later, which includes the fix for this vulnerability.

If the app is already affected and stuck in a crash loop, the local state must be wiped by reinstalling the app to restore functionality.

No other workarounds or mitigations are known.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-35049. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart