Meta has released security updates for WhatsApp addressing two vulnerabilities that could have exposed users to malicious files or attacker-controlled content on Android, iOS, and Windows devices.
The company says it has not seen evidence that either flaw was exploited in the wild.
The issues, tracked as CVE-2026-23866 and CVE-2026-23863, were disclosed in WhatsApp’s latest security advisories and reported through Meta’s Bug Bounty program by external researchers.
The first flaw, CVE-2026-23866, affects WhatsApp for Android versions 2.25.8.0–2.26.7.10 and WhatsApp for iOS versions 2.25.8.0–2.26.15.72.
According to Meta, the vulnerability stems from incomplete validation of AI-generated rich response messages tied to Instagram Reels. A specially crafted message could have caused WhatsApp to process media from an arbitrary attacker-controlled URL on a victim’s device. In some cases, the flaw could also trigger operating system-level custom URL scheme handlers.
Although the issue does not appear to directly enable remote code execution, it could potentially be used in social engineering attacks or chained with other vulnerabilities.
WhatsApp, which is used by billions of people worldwide, has increasingly integrated AI-powered and rich media features into the platform, making message parsing and content validation a growing security focus.
The second vulnerability, CVE-2026-23863, impacts WhatsApp Desktop for Windows versions prior to 2.3000.1032164386.258709.
Meta says the flaw involves improper handling of filenames containing embedded NUL bytes. An attacker could craft a malicious attachment that appears in WhatsApp as a harmless file type, such as a document, but executes as a program when opened.
The bug effectively created an attachment-spoofing scenario, commonly used in phishing and malware campaigns, to trick users into launching malicious executables disguised as legitimate files.
Users are advised to update WhatsApp to the latest available version on all platforms immediately. Patched releases include WhatsApp for Android 2.26.7.10, WhatsApp for iOS 2.26.15.72, and WhatsApp Desktop for Windows 2.3000.1032164386.258709 or newer.
Android users can install updates through Google Play, iPhone users through Apple’s App Store, and Windows users through the Microsoft Store.
We would also recommend enabling automatic updates and avoiding unexpected attachments or links received through messaging platforms, even when they appear to come from trusted contacts.
Leave a Reply