Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (LY-Corporation) · only source for this CVE.
CVSS VectorVendor: LY-Corporation
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
10DescriptionCVE.org
LINE client for iOS versions prior to 26.3.0 contains a vulnerability in the in-app browser where opening a crafted web page can repeatedly trigger OS-level dialogs, potentially causing the iOS device to become temporarily inoperable.
AnalysisAI
LINE for iOS versions before 26.3.0 suffer from dialog-based denial-of-service through the in-app browser. A remote attacker can render an iOS device temporarily inoperable by crafting a malicious web page that triggers infinite OS-level dialog loops when opened in LINE's browser, requiring only that a user click a malicious link. EPSS exploitation probability is minimal (0.01%, 1st percentile) with no active exploitation confirmed. Vendor patch released in version 26.3.0, addressing CWE-451 (user interface misrepresentation).
Technical ContextAI
This vulnerability exploits CWE-451 (User Interface (UI) Misrepresentation of Critical Information) within LINE's custom in-app browser implementation on iOS. The flaw allows malicious web content to abuse iOS system dialog APIs, creating an infinite loop of OS-level alerts that block user interaction with the device. Unlike typical web-based DoS that affects only the browser process, this attack leverages the boundary between WebKit rendering context and native iOS UI frameworks to escalate from application-level to device-level disruption. The CPE identifier cpe:2.3:a:line_corporation:line_client_for_ios confirms this is specific to LINE Corporation's iOS messaging client, not the web or Android versions. The CVSS 4.0 vector indicates high availability impact (VA:H) at the vulnerable component level with some secondary availability impact (SA:L), reflecting that while the LINE app becomes unusable, the underlying iOS system remains functional once the app is force-closed.
RemediationAI
Update LINE for iOS to version 26.3.0 or later through the Apple App Store, as confirmed by vendor patch availability. LY-Corporation released this patched version addressing the dialog loop vulnerability in the in-app browser. Users can verify their version in LINE app settings under 'About LINE'. While awaiting patch deployment, organizations can instruct users to open external links in Safari rather than LINE's in-app browser by long-pressing links and selecting 'Open in Safari' - this bypasses the vulnerable browser component entirely. For enterprise MDM environments, consider blocking LINE versions below 26.3.0 through application versioning policies. If a device becomes unresponsive due to exploitation, force-close the LINE app via iOS multitasking interface or hard-restart the device to restore functionality, then update immediately. Vendor advisory details available at https://nvd.nist.gov/vuln/detail/CVE-2026-3861 and original disclosure at https://hackerone.com/reports/3422905.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-23196
GHSA-rc35-963c-p69f