CVE-2026-35049— wire-ios has Persistent Remote DoS via Integer Underflow
Possible ATT&CK Techniques 1AI
T1190 · Exploit Public-Facing ApplicationGet alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-35049
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
wire-ios has Persistent Remote DoS via Integer Underflow
Source: NVD (National Vulnerability Database)
Vulnerability Description
wire-ios is an iOS client for the Wire secure messaging application. Prior to version 4.16.0, upon receiving a crafted malicious Proteus external message with an encrypted payload that is shorter than 16 bytes, the Wire iOS client crashes. The crash is triggered automatically after message receival with no user interaction. Since the malicious message persists in the conversation, the app enters a crash loop on relaunch and cannot be reopened until the local state is wiped. This issue has been fixed with version 4.16.0 which introduces the missing length check and is available via the App Store. No known workarounds are available.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
输入验证不恰当
Source: NVD (National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-35049
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-35049
请登录查看更多情报信息。
Vendor Advisories for CVE-2026-35049 (1)
IV. Related Vulnerabilities
Same product: wire-ios
- CVE-2025-49846
wire-ios accidentally logs message contents - CVE-2022-31009
DoS vulnerability: Invalid Accent Colors - CVE-2022-23625
DoS vulnerability: Malformed Resource Identifiers - CVE-2021-41094
Mandatory encryption at rest can be bypassed (UI) in Wire ap - CVE-2021-41093
Account takeover when having only access to a user's short l
Same vendor: wireapp
- CVE-2025-49846
wire-ios accidentally logs message contents - CVE-2025-48066
wire-webapp has no database deletion on client logout - CVE-2025-48061
wire-webapp Has Insufficient Session Invalidation after User - CVE-2023-48221
wire-avs remote format string vulnerability - CVE-2023-22737
wire-server vulnerable to unauthorized removal of Bots from
Same weakness: CWE-20
- CVE-2026-47201
authentik: XML Signature Wrapping in SAML Source ACS allows - CVE-2026-45685
OpenTelemetry eBPF Instrumentation: MongoDB parser panics on - CVE-2026-45678
OpenTelemetry eBPF Instrumentation: Postgres BIND parsing ca - CVE-2026-45676
OpenTelemetry eBPF Instrumentation: Unsafe fastelf parsing a - CVE-2026-7195
CWE-20: Improper Input Validation in web services in Progres
V. Comments for CVE-2026-35049
No comments yet