CVE-2021-30496

Vulnerability

The vulnerability resides in the MtProtoKitFramework of Telegram for iOS, version 7.6.2. A remote authenticated attacker can cause a denial of service (application crash) by sending a message containing certain Persian characters to a channel or group. The crash is triggered when the victim pastes the attacker-supplied message into any channel or group within the app [1].

Exploitation

An attacker must be an authenticated Telegram user. They craft a message (e.g., in the Persian language) that exploits the parsing flaw in MtProtoKitFramework. The attacker sends this message to a channel or group where the victim is a member. The victim then copies and pastes the message into the same or another channel or group. The paste action immediately crashes the Telegram app [1].

Impact

Successful exploitation causes the Telegram iOS app to crash, resulting in a temporary denial of service. The app can be relaunched without data loss. No code execution, privilege escalation, or persistent damage has been reported [1].

Mitigation

No official fix has been released; the vendor stated that “this behavior can't be considered a vulnerability.” Users are advised to avoid pasting untrusted messages, especially those containing non-Latin characters. As of the publication date (2021-04-20), no patch is available, and the issue is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog [1].