Description
wire-ios is an iOS client for the Wire secure messaging application. Prior to version 4.16.0, upon receiving a crafted malicious Proteus external message with an encrypted payload that is shorter than 16 bytes, the Wire iOS client crashes. The crash is triggered automatically after message receival with no user interaction. Since the malicious message persists in the conversation, the app enters a crash loop on relaunch and cannot be reopened until the local state is wiped. This issue has been fixed with version 4.16.0 which introduces the missing length check and is available via the App Store. No known workarounds are available.
Published: 2026-06-02
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from an integer underflow in the message length check for encrypted payloads shorter than 16 bytes. When a maliciously crafted Proteus external message is received, the application crashes automatically without user action, leading to a permanent crash loop that prevents the app from being reopened until the local state is wiped. The weakness is a classic integer underflow (CWE-191) and an unchecked user-supplied value (CWE-20).

Affected Systems

The issue affects all installations of the Wire iOS client on versions prior to 4.16.0, including 4.15.x and earlier. The affected vendor is Wireapp, product Wire‑iOS.

Risk and Exploitability

The CVSS score of 6.5 classifies this as a moderate severity flaw. Since the device receives malicious content via a message that can be sent remotely, the attack vector is likely network, though no direct exploitation evidence is provided. The EPSS score is not available, and the flaw is not listed in the CISA KEV catalog. Because the crash is triggered immediately upon receipt and the message persists in the conversation, an attacker could disrupt service with a single message, but no user interaction is required beyond receiving the message.

Generated by OpenCVE AI on June 3, 2026 at 04:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to wire-ios version 4.16.0 or newer via the App Store.
  • Delete the chat containing the malicious message or wipe the app’s local data to stop the crash loop after upgrade.
  • Reinstall the app if wiping local data does not resolve the issue, ensuring the latest version is fully installed.

Generated by OpenCVE AI on June 3, 2026 at 04:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
Description wire-ios is an iOS client for the Wire secure messaging application. Prior to version 4.16.0, upon receiving a crafted malicious Proteus external message with an encrypted payload that is shorter than 16 bytes, the Wire iOS client crashes. The crash is triggered automatically after message receival with no user interaction. Since the malicious message persists in the conversation, the app enters a crash loop on relaunch and cannot be reopened until the local state is wiped. This issue has been fixed with version 4.16.0 which introduces the missing length check and is available via the App Store. No known workarounds are available.
Title wire-ios has Persistent Remote DoS via Integer Underflow
Weaknesses CWE-191
CWE-20
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-02T18:35:48.536Z

Reserved: 2026-03-31T21:06:06.429Z

Link: CVE-2026-35049

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-02T20:16:35.003

Modified: 2026-06-02T20:16:35.003

Link: CVE-2026-35049

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-03T04:30:05Z

Weaknesses