Wire Wire-iOS Integer Underflow Vulnerability Leading to Persistent Remote Denial-of-Service

A denial-of-service vulnerability has been identified in the Wire iOS client, prior to version 4.16.0. The issue arises when the application receives a crafted Proteus external message containing an encrypted payload shorter than 16 bytes. This flaw causes the app to crash automatically upon message receipt, without any user interaction. The malicious message remains in the conversation, causing the app to enter a crash loop upon relaunch. The application cannot be reopened until the local state is wiped, such as by reinstalling the app. Version 4.16.0 addresses this vulnerability by introducing the necessary length check, and is available through the App Store.

Impact

Exploitation of this vulnerability causes the Wire iOS client to crash, creating a loop of repeated crashes upon reopening the app. The application cannot be used again until it is reinstalled, which removes the local state.

Remediation

Users can update to Wire iOS version 4.16.0, available through the App Store, to address this vulnerability.