Video feed was captured while user has disabled video
Description
Wire iOS before 3.75 fails to stop video capture when user disables camera, streaming video to call despite user belief it is off.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Wire iOS before 3.75 fails to stop video capture when user disables camera, streaming video to call despite user belief it is off.
Vulnerability
In Wire for iOS (iPhone and iPad) versions prior to 3.75, a bug exists where the video capture is not stopped when a user first enables their camera and then disables it. This means the camera continues to stream video to the call even though the user believes it is turned off. The issue affects all users participating in video calls on affected versions.
Exploitation
An attacker who is a participant in the same video call can receive the victim's video stream after the victim has disabled their camera. No special network position, authentication, or user interaction beyond being in the call is required. The victim's action of disabling the camera fails to actually stop the capture due to the vulnerability.
Impact
This is a privacy issue: the victim's video is transmitted to other call participants without their knowledge or consent, leading to unintended information disclosure of the victim's visual surroundings.
Mitigation
The vulnerability is fixed in Wire iOS version 3.75, released on 2021-02-11. Users should update to this version or later. No workarounds are available. The fix is implemented in commit [1].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The `SelfVideoPreviewView` did not stop the underlying video capture when the stream's video state changed to stopped, paused, or any non-started state."
Attack vector
A user participating in a video call toggles their camera off via the UI, which sets the stream's `videoState` to `.stopped`. Because the `SelfVideoPreviewView` did not react to this state change, the underlying `AVSVideoPreview` continued capturing video. The video stream therefore remained active and was transmitted to other call participants, contrary to the user's expectation that their camera was disabled. No special network position or authentication bypass is required — any user in a video call can trigger the bug by simply disabling their camera.
Affected code
The vulnerability resides in `SelfVideoPreviewView` in the Wire iOS client. The class previously did not update the video capture state when the `stream` property changed, meaning that disabling the camera (setting `videoState` to `.stopped`) did not stop the underlying `AVSVideoPreview` capture. The patch adds a `didSet` observer on `stream` that calls `updateCaptureState()`, which stops capture when the video state is not `.started`.
What the fix does
The fix adds a `didSet` observer on the `stream` property of `SelfVideoPreviewView` that calls a new `updateCaptureState()` method. That method checks whether `stream.videoState == .started`; if so it calls `startCapture()`, otherwise it calls `stopCapture()`. Additionally, in `VideoGridViewController.updateSelfPreview()`, when the self stream is not found, the code now explicitly calls `stopCapture()` on the preview view. These changes ensure that the video capture is always stopped when the user disables their camera, closing the privacy leak.
Preconditions
- configUser must be in a video call on Wire for iOS
- inputUser must have initially enabled their camera and then disabled it during the call
Generated on May 29, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- github.com/wireapp/wire-ios/commit/7e3c30120066c9b10e50cc0d20012d0849c33a40mitrex_refsource_MISC
- github.com/wireapp/wire-ios/pull/4879mitrex_refsource_MISC
- github.com/wireapp/wire-ios/security/advisories/GHSA-7fg4-x8vj-qvxfmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.