Top/Articles/LINE for iOS bug can freeze your iPhone via a link (CVE-2026-3861)
line-ios-cve-cover-en

LINE for iOS bug can freeze your iPhone via a link (CVE-2026-3861)

LINE for iPhone flaw (CVE-2026-3861): a crafted link fills the screen with pop-ups and briefly freezes the device. No data stolen. Update to 26.3.0 to fix.

NewsPublished July 13, 2026 Updated today
Table of contents
Key takeaways

LINE for iPhone flaw (CVE-2026-3861): a crafted link fills the screen with pop-ups and briefly freezes the device. No data stolen. Update to 26.3.0 to fix.

A flaw in LINE for iPhone can make the device temporarily unusable the moment you tap a link someone sends you. On July 13, 2026, JVN, the vulnerability database run by Japan's JPCERT/CC, issued an advisory urging domestic users to update. The tracking number is CVE-2026-3861.

When a maliciously crafted web page is opened inside LINE, confirmation dialogs (pop-ups asking "Open this?") appear over and over until the screen fills up and nothing responds. The problem affects versions earlier than 26.3.0, and the developer LY Corporation (LINE Yahoo) has already shipped a fixed version. If you are up to date, this does not happen.

The reassuring part first: this does not let anyone steal your chats or hijack your account. All that happens is the screen freezes temporarily, and closing the app or restarting the phone brings it back. Still, because LINE is one of the most-used apps in Japan, it is worth knowing. Below is what happens, whether your phone is affected, and how to fix it.

What actually happens

In LINE, tapping a link in a chat opens the web page not in Safari but in a browser built into the app (an in-app browser). It is the screen that lets you read a news article or coupon page without leaving LINE.

This flaw was in that in-app browser. A web page can embed instructions to call up other apps ("open LINE," "open Maps," and so on) through a mechanism called a URL scheme. Normally, tapping one shows a single "Open this?" confirmation, but there was no brake on how those confirmations were shown.

As a result, a maliciously built page can fire hundreds of these dialogs in an instant. Pop-ups pile up faster than you can dismiss them, and the whole iPhone stops responding. The U.S. vulnerability database NVD and LY Corporation's official advisory describe this as the device "becoming temporarily inoperable."

Technically this is a type of flaw called denial of service (DoS). DoS means deliberately making a system or app stop working so it cannot be used. It is not an attack that steals information; think of it as the "get in the way" or "harass" type.

CVE-2026-3861 at a glance

ItemDetail
Tracking IDCVE-2026-3861 / JVNVU#94039788
AffectedLINE for iPhone / iPad
(before 26.3.0)
TypeDenial of service (DoS)
in-app browser flaw
Effectscreen fills with dialogs,
device temporarily unusable
Data theft / hijackNone
Severity (out of 10)7.1 (CVSS 4.0, High)
6.5 (CVSS 3.1, Medium)
Fixed inLINE for iOS 26.3.0 or later
DeveloperLY Corporation (LINE Yahoo)

The severity is rated 7.1 ("High" under the newest CVSS 4.0 scale), using CVSS, the common 10-point yardstick for how dangerous a vulnerability is. Because it does not steal information, the number is not sky-high, but the ease of it — it works over the network, needs no special privileges, and only requires the target to tap a link — is what pushes the score up.

Who would use this, and why

If anyone actually uses this flaw, it would be someone who wants to hassle a specific person: someone you are arguing with in a chat, a persistent harasser, or a sender blasting nuisance messages to many people. For attackers after money or data there is nothing to gain, so the motive here is closer to a "prank" or "harassment" than theft.

What they do is simple: send a crafted link in a LINE chat and, the instant the target taps it, flood the screen with dialogs. From the receiving side, it feels like you opened an ordinary link as usual, only for your iPhone to suddenly be buried in pop-ups and stop obeying you. Having harm begin just from opening a bad page is something it shares with iPhone spyware that infects you just by viewing a page and with a developer-tool flaw that hijacks you simply by opening a malicious site.

But the damage itself is very different from those hijacking cases. An end user loses only "a few dozen seconds to a few minutes when the phone is unusable." No chat history, contacts, or accounts are stolen. For companies and organizations too, this is a temporary inconvenience on an employee's personal device, not something that breaks a system. It is nothing to panic about — but since fixing it takes almost no effort, if you are affected it is best to get it done early.

Is my iPhone affected?

Whether you are affected comes down to one thing: whether your LINE version is 26.3.0 or higher. Check the quick table below.

LINE versionImpactWhat to do
Before 26.3.0Affected
(can become unusable)
Update to the latest now
26.3.0 or laterFixed
(not affected)
Nothing needed
Android versionNot in scope this timeAs usual

To find your version, open the settings (gear icon) at the top right of LINE's Home tab, scroll down, and tap "About LINE." If the number shown is 26.3.0 or higher, it is already fixed.

The fixed version started shipping around spring 2026, several months ago. If you have automatic app updates turned on, the update has most likely already been applied without you noticing. JVN reissued this advisory now as a reminder aimed at people who keep auto-update off, or who are still running an old version they have not updated in a long time.

How to fix it

The fix is simply to update the app. Open the App Store on your iPhone, tap the account icon at the top right, and if LINE appears in the updates list, tap "Update." If it is not there, search for LINE and check whether an "Update" button (rather than "Open") is shown. Once the version is 26.3.0 or higher, you are done.

To prevent a repeat, the surest step is to keep automatic app updates on. Turning on Settings → App Store → App Updates means future fixes like this get applied without you doing anything. Security fixes often ship quietly bundled into app updates, so keeping things current is a habit that heads off these small problems in bulk.

And if you happen to hit this state before updating, there is no need to panic. If LINE freezes with dialogs, quit the app once (swipe up from the bottom bar and flick LINE away), or restart the iPhone if that does not help, and it returns to normal. This does not erase your chats or data.

A technical look

In vulnerability terms, the root cause is CWE-400 (uncontrolled resource consumption). When the in-app browser displayed the URL-scheme confirmation dialogs requested by a web page, it set no cap on how many or how often. An attacker uses this to generate a flood of dialog requests in a short time, saturating the UI thread and driving the device into an unresponsive state.

The CVSS 4.0 vector is AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H: no impact on confidentiality (VC) or integrity (VI), with only availability (VA) rated High. In other words, the numbers themselves show this is a flaw dialed all the way toward "made unusable" rather than "stolen or altered." Exploitation requires the user to tap a link (UI:P); it does not fire on its own.

The issue was reported to LY Corporation through the bug-bounty platform HackerOne, and the developer disclosed and fixed it in coordination with JPCERT/CC. LY Corporation continuously publishes its product vulnerabilities on its security advisory blog, where the details of this one are laid out too. In-app browsers trade the freedom to call up other apps for the need to build in safeguards against "abuse of those calls" — a caution that applies to smartphone apps in general.

How this unfolded

← swipe to move

Common questions

Q. Can this flaw steal my LINE chats or account?

A. No. Nothing is stolen and no account is hijacked. All that happens is the screen freezes temporarily; your chat history, contacts, and photos are unaffected.

Q. What if my screen is stuck under a pile of pop-ups?

A. Quit the LINE app once, or restart the iPhone, and it returns to normal. This does not erase any data. Handle it calmly and you will be fine.

Q. Is the Android version of LINE safe?

A. This advisory covers only the iPhone/iPad (iOS) version. The Android version is not among the affected products. If you care about app management on your phone, see also the move to regulate Android sideloading.

Q. What about LINE on PC, iPad, or Ubuntu?

A. This one affects the iOS app. Separately, we cover environment topics such as how to run LINE on Linux in another article.

Bottom line

CVE-2026-3861 in LINE for iPhone is a flaw where opening a crafted link in the in-app browser fills the screen with dialogs and makes the device temporarily unusable. No data is leaked and no account is hijacked; the damage is limited to "the phone being unusable on the spot." The fixed version 26.3.0 is already out, and updating prevents it.

All you need to do is check your LINE version and, if it is earlier than 26.3.0, update. If you have auto-update on, it is probably already fixed. Precisely because so many people in Japan use this app every day, even a small flaw like this is one you will not panic over if you know about it. We also track other vulnerabilities in our daily security vulnerability roundup.

Sources

avatar-m-1

Makoto Horikawa

Backend Engineer / AWS / Django