MEDIUM 6.5

CVE-2026-35049: Wire iOS Denial-of-Service via Malformed Proteus Message

Wire iOS users running versions before 4.16.0 are vulnerable to a denial-of-service attack where a specially crafted message causes the app to crash immediately upon receipt, without any user action required. The crash persists across app restarts, trapping users in a crash loop until they manually clear the app's local data. This affects authenticated users only—the attacker must have messaging access to the target.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
CWE-191, CWE-20
Affected products
0 configuration(s)
Published / Modified
2026-06-02 / 2026-06-17

NVD description (verbatim)

wire-ios is an iOS client for the Wire secure messaging application. Prior to version 4.16.0, upon receiving a crafted malicious Proteus external message with an encrypted payload that is shorter than 16 bytes, the Wire iOS client crashes. The crash is triggered automatically after message receival with no user interaction. Since the malicious message persists in the conversation, the app enters a crash loop on relaunch and cannot be reopened until the local state is wiped. This issue has been fixed with version 4.16.0 which introduces the missing length check and is available via the App Store. No known workarounds are available.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-35049 is an integer underflow or buffer length validation flaw in the Wire iOS Proteus protocol handler. When a Proteus external message arrives with an encrypted payload shorter than 16 bytes, the client fails to validate the payload length before processing it, triggering a crash. Because the malicious message is stored in the local conversation history, the crash condition persists on relaunch, preventing the app from becoming functional without wiping local state. The vulnerability stems from missing length validation (CWE-20) and improper numeric handling (CWE-191).

Business impact

Wire iOS users cannot access the application after receiving a malicious message, creating both availability disruption and potential social engineering vectors. Teams relying on Wire for secure team communication face service interruption that requires manual intervention (data wipe) to resolve. In regulated environments, forced data loss may trigger compliance complications. The attack is low-friction for an authenticated attacker, making it useful for targeted harassment or organizational disruption.

Affected systems

Wire iOS client versions prior to 4.16.0 are affected. The vulnerability requires the attacker to have authenticated messaging capability within Wire, meaning they must either be an accepted contact or member of a group conversation accessible to the target. Desktop and web Wire clients are not affected—only the iOS mobile application.

Exploitability

Exploitability is straightforward for a threat actor with messaging access. No special tools, zero user interaction, and no advanced technical capability is required beyond crafting a valid Proteus message with a short encrypted payload. The automatic crash and persistent crash loop lower the barrier to denial-of-service impact. CVSS reflects this with a score of 6.5 (Medium severity)—high availability impact offset by the requirement for prior authentication.

Remediation

Update Wire iOS to version 4.16.0 or later, which includes a length check to validate Protetus encrypted payloads before processing. No workarounds are available; users affected by the crash loop must uninstall and reinstall the app or perform a manual wipe of Wire's local application data before the app becomes usable again.

Patch guidance

Visit the iOS App Store and update Wire to version 4.16.0 or any subsequent version. The patch adds input validation at the Proteus message handler, rejecting payloads under 16 bytes before they trigger a crash. Verify the updated version number in Settings > About after installation. Enterprise deployments using Mobile Device Management (MDM) should push the update to ensure coverage across managed iOS devices.

Detection guidance

Monitor for repeated Wire app crashes in your infrastructure logs or device telemetry. If users report sudden app crashes when receiving specific messages, and crashes repeat on relaunch, suspect this vulnerability if device Wire version is below 4.16.0. On affected devices, inspect the local Wire database or app cache for malformed Proteus messages (payloads <16 bytes). Endpoint Detection and Response (EDR) platforms may flag repeated app crashes in a short window as anomalous behavior. Network-level detection is difficult because the payload is encrypted; focus on app-level telemetry and user reports.

Why prioritize this

While CVSS is moderate (6.5), prioritize patching because: (1) the attack is trivial to execute with no user interaction, (2) impact is absolute—the app becomes unusable, (3) the crash persists until manual intervention, creating customer friction, and (4) it is a reliable denial-of-service vector for authenticated attackers. For organizations using Wire as a primary communications channel, this creates operational risk. The lack of a workaround elevates practical priority beyond the numerical score.

Risk score, explained

CVSS 6.5 reflects high availability impact (A:H) but is tempered by the requirement for authenticated access (PR:L) and no confidentiality or integrity breach. The network-accessible vector (AV:N) acknowledges that any authenticated user can send a message. The 'Medium' severity reflects that this is a denial-of-service with a low bar to execution, but impact is limited to availability and requires prior relationship or group membership.

Frequently asked questions

Do I need to be an existing contact or group member to exploit this?

Yes. The vulnerability requires authenticated messaging capability. An attacker must either be in your Wire contacts with an accepted connection, or be a member of a group conversation you are part of. Random external users cannot send the malicious message.

Will updating automatically fix a crashed app, or do I need to wipe data?

If your app is already in a crash loop due to a received malicious message, update alone may not resolve it. You may need to uninstall and reinstall the app, or manually clear Wire's local application data via Settings > General > Storage, before the crash loop clears. After updating to 4.16.0 or later, new malicious messages will be rejected safely.

Are Wire desktop or web clients affected?

No. This vulnerability is specific to the iOS mobile client. Wire for macOS, Windows, Linux, and web browsers are not impacted by this particular flaw.

Can I detect if I've received one of these malicious messages?

Not reliably without app instrumentation. The crash happens automatically, so you may not see the message content. If your Wire app crashes repeatedly on startup and updating doesn't help, suspect this vulnerability and wipe your local app data as instructed above.

This analysis is based on published CVE data as of June 2026. Verify patch availability and version numbers directly with Wire or the iOS App Store. This vulnerability requires authenticated access and does not affect Wire clients on other platforms. No public exploit code is known; this assessment reflects the published description and CVSS vector only. Organizations should test patches in non-production environments before broad deployment. Wire users unable to access the app should contact Wire support or uninstall/reinstall after updating the app. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).