CVE-2026-3861 - Vulnerability Details - OpenCVE

LINE client for iOS versions prior to 26.3.0 contains a vulnerability in the in-app browser where opening a crafted web page can repeatedly trigger OS-level dialogs, potentially causing the iOS device to become temporarily inoperable.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Line Corporation	Line Client For Ios

No data.

No data.

References

Link	Providers
https://hackerone.com/reports/3422905

History

Thu, 16 Apr 2026 13:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-451
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 16 Apr 2026 09:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Line Corporation Line Corporation line Client For Ios
Vendors & Products		Line Corporation Line Corporation line Client For Ios

Thu, 16 Apr 2026 09:15:00 +0000

Type	Values Removed	Values Added
Title		iOS Device Denial of Service via Repeated OS Dialogs in LINE In‑App Browser
Weaknesses		CWE-835

Thu, 16 Apr 2026 06:30:00 +0000

Type	Values Removed	Values Added
Description		LINE client for iOS versions prior to 26.3.0 contains a vulnerability in the in-app browser where opening a crafted web page can repeatedly trigger OS-level dialogs, potentially causing the iOS device to become temporarily inoperable.
References		https://hackerone.com/reports/3422905
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H'}`

MITRE

Status: PUBLISHED

Assigner: LY-Corporation

Published: 2026-04-16T05:54:05.194Z

Updated: 2026-04-16T12:31:11.953Z

Reserved: 2026-03-10T05:02:39.735Z

Link: CVE-2026-3861

Vulnrichment

Updated: 2026-04-16T12:16:07.683Z

NVD

Status : Received

Published: 2026-04-16T07:16:30.090

Modified: 2026-04-16T13:16:49.570

Link: CVE-2026-3861

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3861", "assignerOrgId": "657f3255-0560-4aed-82e4-7f579ec6acfb", "state": "PUBLISHED", "assignerShortName": "LY-Corporation", "dateReserved": "2026-03-10T05:02:39.735Z", "datePublished": "2026-04-16T05:54:05.194Z", "dateUpdated": "2026-04-16T12:31:11.953Z"}, "containers": {"cna": {"affected": [{"vendor": "LINE Corporation", "product": "LINE client for iOS", "versions": [{"version": "-", "status": "affected", "versionType": "custom", "lessThan": "26.3.0"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "na"}]}], "descriptions": [{"lang": "en", "value": "LINE client for iOS versions prior to 26.3.0 contains a vulnerability in the in-app browser where opening a crafted web page can repeatedly trigger OS-level dialogs, potentially causing the iOS device to become temporarily inoperable."}], "references": [{"url": "https://hackerone.com/reports/3422905"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "exploitCodeMaturity": "NOT_DEFINED", "remediationLevel": "NOT_DEFINED", "reportConfidence": "NOT_DEFINED", "temporalScore": 6.5, "temporalSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NETWORK", "modifiedAttackComplexity": "LOW", "modifiedPrivilegesRequired": "NONE", "modifiedUserInteraction": "REQUIRED", "modifiedScope": "UNCHANGED", "modifiedConfidentialityImpact": "NONE", "modifiedIntegrityImpact": "NONE", "modifiedAvailabilityImpact": "HIGH", "environmentalScore": 6.5, "environmentalSeverity": "MEDIUM"}}], "providerMetadata": {"orgId": "657f3255-0560-4aed-82e4-7f579ec6acfb", "shortName": "LY-Corporation", "dateUpdated": "2026-04-16T05:54:05.194Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-451", "lang": "en", "description": "CWE-451 User Interface (UI) Misrepresentation of Critical Information"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-16T12:16:15.191045Z", "id": "CVE-2026-3861", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-16T12:31:11.953Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-3861", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-16T12:16:15.191045Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-451", "description": "CWE-451 User Interface (UI) Misrepresentation of Critical Information"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-16T12:16:07.683Z"}}], "cna": {"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "modifiedScope": "UNCHANGED", "temporalScore": 6.5, "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "remediationLevel": "NOT_DEFINED", "reportConfidence": "NOT_DEFINED", "temporalSeverity": "MEDIUM", "availabilityImpact": "HIGH", "environmentalScore": 6.5, "privilegesRequired": "NONE", "exploitCodeMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NETWORK", "confidentialityImpact": "NONE", "environmentalSeverity": "MEDIUM", "availabilityRequirement": "NOT_DEFINED", "modifiedIntegrityImpact": "NONE", "modifiedUserInteraction": "REQUIRED", "modifiedAttackComplexity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAvailabilityImpact": "HIGH", "modifiedPrivilegesRequired": "NONE", "modifiedConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "LINE Corporation", "product": "LINE client for iOS", "versions": [{"status": "affected", "version": "-", "lessThan": "26.3.0", "versionType": "custom"}]}], "references": [{"url": "https://hackerone.com/reports/3422905"}], "descriptions": [{"lang": "en", "value": "LINE client for iOS versions prior to 26.3.0 contains a vulnerability in the in-app browser where opening a crafted web page can repeatedly trigger OS-level dialogs, potentially causing the iOS device to become temporarily inoperable."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "na"}]}], "providerMetadata": {"orgId": "657f3255-0560-4aed-82e4-7f579ec6acfb", "shortName": "LY-Corporation", "dateUpdated": "2026-04-16T05:54:05.194Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3861", "state": "PUBLISHED", "dateUpdated": "2026-04-16T12:31:11.953Z", "dateReserved": "2026-03-10T05:02:39.735Z", "assignerOrgId": "657f3255-0560-4aed-82e4-7f579ec6acfb", "datePublished": "2026-04-16T05:54:05.194Z", "assignerShortName": "LY-Corporation"}, "dataVersion": "5.2"}