CVE-2026-35049

MEDIUM 6.5

wire-ios has Persistent Remote DoS via Integer Underflow

CVSS Score

6.5

EPSS Score

0.0%

EPSS Percentile

0th

wire-ios is an iOS client for the Wire secure messaging application. Prior to version 4.16.0, upon receiving a crafted malicious Proteus external message with an encrypted payload that is shorter than 16 bytes, the Wire iOS client crashes. The crash is triggered automatically after message receival with no user interaction. Since the malicious message persists in the conversation, the app enters a crash loop on relaunch and cannot be reopened until the local state is wiped. This issue has been fixed with version 4.16.0 which introduces the missing length check and is available via the App Store. No known workarounds are available.

CWE	CWE-20 CWE-191
Vendor	wireapp
Product	wire-ios
Published	Jun 2, 2026
Last Updated	Jun 3, 2026

Stay Ahead of the Next One

Get instant alerts for wireapp wire-ios

Be the first to know when new medium vulnerabilities affecting wireapp wire-ios are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Affected Versions

wireapp / wire-ios

< 4.16.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/wireapp/wire-ios/security/advisories/GHSA-v6wg-c7qc-x66g