CVE-2026-35049
Denial of Service in Wire iOS Client
Publication date: 2026-06-02
Last updated on: 2026-06-02
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wire | wire_ios | to 4.16.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
| CWE-191 | The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability affects the Wire iOS client versions prior to 4.16.0. It occurs when the app receives a specially crafted malicious Proteus external message containing an encrypted payload that is shorter than 16 bytes. This causes the app to crash automatically without any user interaction.
Because the malicious message remains in the conversation, the app enters a crash loop every time it is relaunched, making it impossible to reopen the app until the local state is wiped or the app is reinstalled.
The root cause of this vulnerability is improper input validation leading to an integer underflow issue.
How can this vulnerability impact me? :
This vulnerability can cause a persistent remote denial-of-service (DoS) condition on the Wire iOS client. An attacker can send a malicious message that crashes the app automatically and causes it to enter a crash loop on every relaunch.
As a result, users will be unable to open or use the Wire iOS app until they wipe the local state or reinstall the app, leading to a significant loss of availability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability manifests as a persistent crash loop of the Wire iOS client upon receiving a crafted malicious Proteus external message with an encrypted payload smaller than 16 bytes.
Detection involves monitoring the Wire iOS client for repeated crashes or inability to reopen the app after receiving messages.
Since the issue is triggered by a specific type of message, network detection could focus on identifying Proteus external messages with encrypted payloads shorter than 16 bytes.
However, no specific commands or automated detection tools are provided in the available information.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the Wire iOS client to version 4.16.0 or later, which includes the fix for this vulnerability.
If the app is already affected and stuck in a crash loop, the local state must be wiped by reinstalling the app to restore functionality.
No other workarounds or mitigations are known.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.