CVE-2022-31009 is a medium-severity vulnerability affecting the iOS client of the Wire secure messaging application (wire-ios) prior to version 3.100. The issue arises from a reachable assertion (CWE-617) triggered during the processing of accent color values associated with Wire communication partners. Specifically, when the client attempts to convert an integer representing an accent color into a corresponding enum value, an unnecessary assert statement causes the application to throw an exception if the integer value is invalid. Instead of gracefully falling back to a default value, this assertion leads to repeated crashes of the Wire iOS client upon launch, rendering it partially unusable. The invalid accent colors can be sent between Wire users, meaning that a malicious or compromised user could deliberately send crafted accent color values to cause the recipient's iOS client to crash repeatedly. This vulnerability does not require authentication beyond normal user interaction, as it leverages the exchange of messages or user metadata within the Wire platform. The root cause was addressed in Wire iOS version 3.100 by removing the assert and implementing a fallback mechanism. No workaround exists other than upgrading the client or using alternative Wire clients such as the web app. There are no known exploits in the wild at this time. The vulnerability impacts availability by causing denial of service on the affected client, but does not directly compromise confidentiality or integrity of messages or data. The scope is limited to the wire-ios client on iOS devices, affecting users who have not upgraded to version 3.100 or later.

For European organizations using Wire as a secure communication tool on iOS devices, this vulnerability could disrupt internal and external communications by causing the Wire iOS client to crash repeatedly, effectively denying service to affected users. This could impact productivity and delay critical messaging, especially in sectors relying on secure and timely communication such as finance, healthcare, legal, and government. Since the vulnerability can be triggered by sending specially crafted accent color values, it could be exploited by malicious insiders or external threat actors who gain access to user accounts or communication channels. Although the vulnerability does not expose message contents or allow unauthorized access, the denial of service could be leveraged as part of a broader attack to degrade operational capabilities or cause user frustration leading to decreased trust in the platform. The impact is primarily on availability and user experience rather than data confidentiality or integrity. Organizations with a significant number of iOS Wire users who have not upgraded to version 3.100 are most at risk. The lack of a workaround other than upgrading or switching clients increases the urgency of patching. Given the absence of known exploits, the immediate risk is moderate, but the potential for targeted disruption exists.

1. Immediate upgrade of all Wire iOS clients to version 3.100 or later to ensure the vulnerability is patched. 2. Enforce organizational policies that mandate timely updates of mobile applications, particularly those used for secure communications. 3. Educate users about the risk of opening messages or interacting with unknown or suspicious contacts within Wire, as malicious accent colors are delivered via user metadata. 4. Monitor Wire communication logs and user reports for repeated client crashes or unusual behavior that could indicate exploitation attempts. 5. Temporarily encourage affected users to switch to alternative Wire clients such as the web app or desktop versions until the iOS client is updated. 6. Coordinate with Wire support or security teams to stay informed about any emerging exploits or additional patches. 7. Implement mobile device management (MDM) solutions to enforce app version compliance and restrict installation of outdated versions. 8. Review and restrict access controls within Wire to minimize the risk of malicious actors sending crafted messages internally.