LINE for iOS bug can freeze your iPhone via a link (CVE-2026-3861)
LINE for iPhone flaw (CVE-2026-3861): a crafted link fills the screen with pop-ups and briefly freezes the device. No data stolen. Update to 26.3.0 to fix.
Table of contents
LINE for iPhone flaw (CVE-2026-3861): a crafted link fills the screen with pop-ups and briefly freezes the device. No data stolen. Update to 26.3.0 to fix.
A flaw in LINE for iPhone can make the device temporarily unusable the moment you tap a link someone sends you. On July 13, 2026, JVN, the vulnerability database run by Japan's JPCERT/CC, issued an advisory urging domestic users to update. The tracking number is CVE-2026-3861.
When a maliciously crafted web page is opened inside LINE, confirmation dialogs (pop-ups asking "Open this?") appear over and over until the screen fills up and nothing responds. The problem affects versions earlier than 26.3.0, and the developer LY Corporation (LINE Yahoo) has already shipped a fixed version. If you are up to date, this does not happen.
The reassuring part first: this does not let anyone steal your chats or hijack your account. All that happens is the screen freezes temporarily, and closing the app or restarting the phone brings it back. Still, because LINE is one of the most-used apps in Japan, it is worth knowing. Below is what happens, whether your phone is affected, and how to fix it.
What actually happens
In LINE, tapping a link in a chat opens the web page not in Safari but in a browser built into the app (an in-app browser). It is the screen that lets you read a news article or coupon page without leaving LINE.
This flaw was in that in-app browser. A web page can embed instructions to call up other apps ("open LINE," "open Maps," and so on) through a mechanism called a URL scheme. Normally, tapping one shows a single "Open this?" confirmation, but there was no brake on how those confirmations were shown.
As a result, a maliciously built page can fire hundreds of these dialogs in an instant. Pop-ups pile up faster than you can dismiss them, and the whole iPhone stops responding. The U.S. vulnerability database NVD and LY Corporation's official advisory describe this as the device "becoming temporarily inoperable."
Technically this is a type of flaw called denial of service (DoS). DoS means deliberately making a system or app stop working so it cannot be used. It is not an attack that steals information; think of it as the "get in the way" or "harass" type.
CVE-2026-3861 at a glance
| Item | Detail |
|---|---|
| Tracking ID | CVE-2026-3861 / JVNVU#94039788 |
| Affected | LINE for iPhone / iPad (before 26.3.0) |
| Type | Denial of service (DoS) in-app browser flaw |
| Effect | screen fills with dialogs, device temporarily unusable |
| Data theft / hijack | None |
| Severity (out of 10) | 7.1 (CVSS 4.0, High) 6.5 (CVSS 3.1, Medium) |
| Fixed in | LINE for iOS 26.3.0 or later |
| Developer | LY Corporation (LINE Yahoo) |
The severity is rated 7.1 ("High" under the newest CVSS 4.0 scale), using CVSS, the common 10-point yardstick for how dangerous a vulnerability is. Because it does not steal information, the number is not sky-high, but the ease of it — it works over the network, needs no special privileges, and only requires the target to tap a link — is what pushes the score up.
Who would use this, and why
If anyone actually uses this flaw, it would be someone who wants to hassle a specific person: someone you are arguing with in a chat, a persistent harasser, or a sender blasting nuisance messages to many people. For attackers after money or data there is nothing to gain, so the motive here is closer to a "prank" or "harassment" than theft.
What they do is simple: send a crafted link in a LINE chat and, the instant the target taps it, flood the screen with dialogs. From the receiving side, it feels like you opened an ordinary link as usual, only for your iPhone to suddenly be buried in pop-ups and stop obeying you. Having harm begin just from opening a bad page is something it shares with iPhone spyware that infects you just by viewing a page and with a developer-tool flaw that hijacks you simply by opening a malicious site.
But the damage itself is very different from those hijacking cases. An end user loses only "a few dozen seconds to a few minutes when the phone is unusable." No chat history, contacts, or accounts are stolen. For companies and organizations too, this is a temporary inconvenience on an employee's personal device, not something that breaks a system. It is nothing to panic about — but since fixing it takes almost no effort, if you are affected it is best to get it done early.
Is my iPhone affected?
Whether you are affected comes down to one thing: whether your LINE version is 26.3.0 or higher. Check the quick table below.
| LINE version | Impact | What to do |
|---|---|---|
| Before 26.3.0 | Affected (can become unusable) | Update to the latest now |
| 26.3.0 or later | Fixed (not affected) | Nothing needed |
| Android version | Not in scope this time | As usual |
To find your version, open the settings (gear icon) at the top right of LINE's Home tab, scroll down, and tap "About LINE." If the number shown is 26.3.0 or higher, it is already fixed.
The fixed version started shipping around spring 2026, several months ago. If you have automatic app updates turned on, the update has most likely already been applied without you noticing. JVN reissued this advisory now as a reminder aimed at people who keep auto-update off, or who are still running an old version they have not updated in a long time.
How to fix it
The fix is simply to update the app. Open the App Store on your iPhone, tap the account icon at the top right, and if LINE appears in the updates list, tap "Update." If it is not there, search for LINE and check whether an "Update" button (rather than "Open") is shown. Once the version is 26.3.0 or higher, you are done.
To prevent a repeat, the surest step is to keep automatic app updates on. Turning on Settings → App Store → App Updates means future fixes like this get applied without you doing anything. Security fixes often ship quietly bundled into app updates, so keeping things current is a habit that heads off these small problems in bulk.
And if you happen to hit this state before updating, there is no need to panic. If LINE freezes with dialogs, quit the app once (swipe up from the bottom bar and flick LINE away), or restart the iPhone if that does not help, and it returns to normal. This does not erase your chats or data.
A technical look
In vulnerability terms, the root cause is CWE-400 (uncontrolled resource consumption). When the in-app browser displayed the URL-scheme confirmation dialogs requested by a web page, it set no cap on how many or how often. An attacker uses this to generate a flood of dialog requests in a short time, saturating the UI thread and driving the device into an unresponsive state.
The CVSS 4.0 vector is AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H: no impact on confidentiality (VC) or integrity (VI), with only availability (VA) rated High. In other words, the numbers themselves show this is a flaw dialed all the way toward "made unusable" rather than "stolen or altered." Exploitation requires the user to tap a link (UI:P); it does not fire on its own.
The issue was reported to LY Corporation through the bug-bounty platform HackerOne, and the developer disclosed and fixed it in coordination with JPCERT/CC. LY Corporation continuously publishes its product vulnerabilities on its security advisory blog, where the details of this one are laid out too. In-app browsers trade the freedom to call up other apps for the need to build in safeguards against "abuse of those calls" — a caution that applies to smartphone apps in general.
How this unfolded
← swipe to move
Common questions
Q. Can this flaw steal my LINE chats or account?
A. No. Nothing is stolen and no account is hijacked. All that happens is the screen freezes temporarily; your chat history, contacts, and photos are unaffected.
Q. What if my screen is stuck under a pile of pop-ups?
A. Quit the LINE app once, or restart the iPhone, and it returns to normal. This does not erase any data. Handle it calmly and you will be fine.
Q. Is the Android version of LINE safe?
A. This advisory covers only the iPhone/iPad (iOS) version. The Android version is not among the affected products. If you care about app management on your phone, see also the move to regulate Android sideloading.
Q. What about LINE on PC, iPad, or Ubuntu?
A. This one affects the iOS app. Separately, we cover environment topics such as how to run LINE on Linux in another article.
Bottom line
CVE-2026-3861 in LINE for iPhone is a flaw where opening a crafted link in the in-app browser fills the screen with dialogs and makes the device temporarily unusable. No data is leaked and no account is hijacked; the damage is limited to "the phone being unusable on the spot." The fixed version 26.3.0 is already out, and updating prevents it.
All you need to do is check your LINE version and, if it is earlier than 26.3.0, update. If you have auto-update on, it is probably already fixed. Precisely because so many people in Japan use this app every day, even a small flaw like this is one you will not panic over if you know about it. We also track other vulnerabilities in our daily security vulnerability roundup.
Sources
- ▸ JVN - JVNVU#94039788, denial-of-service vulnerability in LINE for iOS (July 13, 2026)
- ▸ LY Corporation Security Advisory - CVE-2026-3861 (April 30, 2026)
- ▸ NVD - CVE-2026-3861 Detail (published April 16, 2026)
- ▸ CVE-2026-3861 - CVSS score and vector details
- ▸ HackerOne - Report #3422905 (CVE-2026-3861 disclosure)

Makoto Horikawa
Backend Engineer / AWS / Django