CVE-2021-30496: 
NixOS vulnerability analysis and mitigation

The Telegram app 7.6.2 for iOS contains a denial of service vulnerability (CVE-2021-30496) that allows remote authenticated users to cause an application crash. The vulnerability is triggered when a victim pastes an attacker-supplied message (e.g., in the Persian language) into a channel or group, causing a crash in the MtProtoKitFramework component. This vulnerability was discovered in April 2021, though it is disputed as Telegram's perspective is that this behavior cannot be considered a vulnerability (NVD).

The vulnerability manifests as a stack buffer overflow in the MtProtoKitFramework when processing certain message content. The issue has been assigned a CVSS v3.1 Base Score of 5.7 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H, indicating that it requires network access, low attack complexity, low privileges, and user interaction to exploit (NVD).

When successfully exploited, the vulnerability results in a denial of service condition through application crash. The crash occurs specifically in the MtProtoKitFramework component when the victim pastes certain types of messages into channels or groups (NVD, GitHub Log).

Telegram has disputed the classification of this issue as a vulnerability, stating that "this behavior can't be considered a vulnerability." This position has led to the CVE being marked as DISPUTED in the official record (NVD).