CVE-2026-7701: NULL Pointer Dereference in Telegram Desktop
A security vulnerability has been detected in Telegram Desktop up to 6.7.5. This vulnerability affects the function RequestButton of the file Telegram/SourceFiles/boxes/url_auth_box.cpp of the component Bot API. The manipulation of the argument login_url leads to null pointer dereference. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. There is ongoing doubt regarding the real existence of this vulnerability. Upgrading to version 6.7.6 is able to resolve this issue. Upgrading the affected component is recommended. The vendor provides this rationale for the dispute: "[T]he described scenario does not lead to any security issue or vulnerability, and only causes a one-time crash. In the outlined scenario, the targeted user must perform an active action, which doesn't produce any consequences after the app is relaunched."
AI Analysis
Technical Summary
This vulnerability affects Telegram Desktop versions 6.7.0 through 6.7.5 in the Bot API's RequestButton function within url_auth_box.cpp. Manipulating the login_url argument can trigger a null pointer dereference, leading to an application crash. The vulnerability can be triggered remotely but requires user interaction. The vendor contends that the crash does not result in further security issues beyond a temporary denial of service. The issue is fixed in Telegram Desktop version 6.7.6.
Potential Impact
The impact is limited to a potential one-time crash of the Telegram Desktop application when processing a crafted login_url in the Bot API. There is no evidence of data compromise, privilege escalation, or persistent denial of service. The vendor confirms no security consequences persist after the app is restarted.
Mitigation Recommendations
Upgrading Telegram Desktop to version 6.7.6 or later fully resolves this issue. Since the vendor states the vulnerability only causes a one-time crash without further security impact, no additional mitigation is required beyond applying the update.
CVE-2026-7701: NULL Pointer Dereference in Telegram Desktop
Description
A security vulnerability has been detected in Telegram Desktop up to 6.7.5. This vulnerability affects the function RequestButton of the file Telegram/SourceFiles/boxes/url_auth_box.cpp of the component Bot API. The manipulation of the argument login_url leads to null pointer dereference. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. There is ongoing doubt regarding the real existence of this vulnerability. Upgrading to version 6.7.6 is able to resolve this issue. Upgrading the affected component is recommended. The vendor provides this rationale for the dispute: "[T]he described scenario does not lead to any security issue or vulnerability, and only causes a one-time crash. In the outlined scenario, the targeted user must perform an active action, which doesn't produce any consequences after the app is relaunched."
CVSS v4.0
Score 5.3medium
Affected software
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability affects Telegram Desktop versions 6.7.0 through 6.7.5 in the Bot API's RequestButton function within url_auth_box.cpp. Manipulating the login_url argument can trigger a null pointer dereference, leading to an application crash. The vulnerability can be triggered remotely but requires user interaction. The vendor contends that the crash does not result in further security issues beyond a temporary denial of service. The issue is fixed in Telegram Desktop version 6.7.6.
Potential Impact
The impact is limited to a potential one-time crash of the Telegram Desktop application when processing a crafted login_url in the Bot API. There is no evidence of data compromise, privilege escalation, or persistent denial of service. The vendor confirms no security consequences persist after the app is restarted.
Mitigation Recommendations
Upgrading Telegram Desktop to version 6.7.6 or later fully resolves this issue. Since the vendor states the vulnerability only causes a one-time crash without further security impact, no additional mitigation is required beyond applying the update.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulDB
- Date Reserved
- 2026-05-02T20:30:23.558Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69f76efbcbff5d861037fa28
Added to database: 5/3/2026, 3:51:23 PM
Last enriched: 5/19/2026, 6:02:52 PM
Last updated: 6/18/2026, 2:29:20 AM
Views: 157
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.