Skip to main content

Wire iOS EUVDEUVD-2026-34008

| CVE-2026-35049 MEDIUM
Improper Input Validation (CWE-20)
2026-06-02 GitHub_M
6.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Patch available
Jun 02, 2026 - 21:02 EUVD
Analysis Generated
Jun 02, 2026 - 20:29 vuln.today
CVE Published
Jun 02, 2026 - 18:35 nvd
MEDIUM 6.5

DescriptionGitHub Advisory

wire-ios is an iOS client for the Wire secure messaging application. Prior to version 4.16.0, upon receiving a crafted malicious Proteus external message with an encrypted payload that is shorter than 16 bytes, the Wire iOS client crashes. The crash is triggered automatically after message receival with no user interaction. Since the malicious message persists in the conversation, the app enters a crash loop on relaunch and cannot be reopened until the local state is wiped. This issue has been fixed with version 4.16.0 which introduces the missing length check and is available via the App Store. No known workarounds are available.

AnalysisAI

Persistent denial-of-service in wire-ios prior to version 4.16.0 allows any authenticated Wire user to permanently crash the victim's iOS client by sending a single crafted Proteus external message with an encrypted payload shorter than 16 bytes. The crash triggers automatically upon message receipt with no user interaction required, and because the malicious message persists in local storage, the app enters an unrecoverable crash loop on every subsequent relaunch - effectively locking the victim out of the application entirely until local state is wiped. No public exploit code is identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

Technical ContextAI

Wire's iOS client uses the Proteus protocol, an implementation of the Signal Double Ratchet protocol, for end-to-end encrypted messaging. Proteus supports 'external messages' - a message type that carries an independently encrypted payload alongside the standard envelope. The vulnerability, rooted in CWE-20 (Improper Input Validation), arises because the client fails to enforce a minimum length check on this encrypted payload before processing it. The Proteus decryption routine expects a payload of at least 16 bytes (consistent with a standard AES-GCM nonce or authentication tag boundary), and when presented with a shorter value, the application crashes due to an out-of-bounds or underflow condition. The affected CPE is cpe:2.3:a:wireapp:wire-ios:*:*:*:*:*:*:*:*, covering all versions prior to 4.16.0. The crash is compounded by the iOS client's message persistence model: the malicious message is stored in the local database before the crash path is reached, meaning every relaunch re-triggers the same crash.

RemediationAI

The vendor-released patch is wire-ios version 4.16.0, which introduces the missing payload length validation in the Proteus external message handler. Users should update immediately via the Apple App Store. Wire 4.16.0 is confirmed available through the App Store distribution channel as stated in the advisory. The vendor explicitly states no known workarounds are available. If immediate updating is not possible, a partial compensating control would be to restrict who can initiate contact or send messages to high-value accounts within the Wire organization settings, which limits the pool of accounts capable of delivering the malicious message - however, this does not eliminate risk if the attacker already has an established conversation with the target. Users who have already been targeted and are in a crash loop must wipe local Wire app data (delete and reinstall the application) to restore functionality, then immediately update to 4.16.0.

Share

EUVD-2026-34008 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy