WhatsApp Discloses File Spoofing, Arbitrary URL Scheme Vulnerabilities
Meta's WhatsApp addressed two medium-severity vulnerabilities earlier this year. The first, CVE-2026-23863, affected WhatsApp for Windows and involved a file spoofing issue where maliciously crafted attachments with embedded NUL bytes could appear harmless but execute code when opened. The second, CVE-2026-23866, impacted WhatsApp for iOS and Android and involved incomplete validation of AI-generated Instagram Reels messages, potentially allowing processing of media from arbitrary URLs and triggering OS-level custom URL scheme handlers. Both vulnerabilities were responsibly disclosed through Meta's bug bounty program and have been patched. There is no evidence of exploitation in the wild. These issues highlight risks related to attachment handling and URL scheme processing in messaging apps.
AI Analysis
Technical Summary
Two medium-impact vulnerabilities were disclosed and patched in WhatsApp. CVE-2026-23863 is a file spoofing vulnerability in WhatsApp for Windows prior to version 2.3000.1032164386.258709, where attackers could embed NUL bytes in attachment filenames to disguise executables as harmless files. CVE-2026-23866 affects WhatsApp for iOS (v2.25.8.0-v2.26.15.72) and Android (v2.25.8.0-v2.26.7.10), involving incomplete validation of AI rich response messages for Instagram Reels, allowing triggering of media processing from arbitrary URLs and OS-controlled custom URL scheme handlers. These flaws could enable attackers to execute malicious files or redirect users via custom URL schemes. Both were responsibly disclosed and patched by Meta, with no known exploitation in the wild.
Potential Impact
Successful exploitation of CVE-2026-23863 could allow an attacker to trick a user into executing a malicious file disguised as a harmless attachment on WhatsApp for Windows. CVE-2026-23866 could allow an attacker to cause a victim's device to process media content from arbitrary URLs and invoke OS-level custom URL scheme handlers, potentially leading to redirection to phishing sites or launching other apps. However, there is no evidence these vulnerabilities have been exploited in the wild.
Mitigation Recommendations
Both vulnerabilities have been patched by Meta in updates released earlier this year. Users should ensure they are running WhatsApp versions at or above 2.3000.1032164386.258709 on Windows, 2.26.15.72 on iOS, and 2.26.7.10 on Android. No additional mitigation is required as the issues are resolved in these official updates.
WhatsApp Discloses File Spoofing, Arbitrary URL Scheme Vulnerabilities
Description
Meta's WhatsApp addressed two medium-severity vulnerabilities earlier this year. The first, CVE-2026-23863, affected WhatsApp for Windows and involved a file spoofing issue where maliciously crafted attachments with embedded NUL bytes could appear harmless but execute code when opened. The second, CVE-2026-23866, impacted WhatsApp for iOS and Android and involved incomplete validation of AI-generated Instagram Reels messages, potentially allowing processing of media from arbitrary URLs and triggering OS-level custom URL scheme handlers. Both vulnerabilities were responsibly disclosed through Meta's bug bounty program and have been patched. There is no evidence of exploitation in the wild. These issues highlight risks related to attachment handling and URL scheme processing in messaging apps.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Two medium-impact vulnerabilities were disclosed and patched in WhatsApp. CVE-2026-23863 is a file spoofing vulnerability in WhatsApp for Windows prior to version 2.3000.1032164386.258709, where attackers could embed NUL bytes in attachment filenames to disguise executables as harmless files. CVE-2026-23866 affects WhatsApp for iOS (v2.25.8.0-v2.26.15.72) and Android (v2.25.8.0-v2.26.7.10), involving incomplete validation of AI rich response messages for Instagram Reels, allowing triggering of media processing from arbitrary URLs and OS-controlled custom URL scheme handlers. These flaws could enable attackers to execute malicious files or redirect users via custom URL schemes. Both were responsibly disclosed and patched by Meta, with no known exploitation in the wild.
Potential Impact
Successful exploitation of CVE-2026-23863 could allow an attacker to trick a user into executing a malicious file disguised as a harmless attachment on WhatsApp for Windows. CVE-2026-23866 could allow an attacker to cause a victim's device to process media content from arbitrary URLs and invoke OS-level custom URL scheme handlers, potentially leading to redirection to phishing sites or launching other apps. However, there is no evidence these vulnerabilities have been exploited in the wild.
Mitigation Recommendations
Both vulnerabilities have been patched by Meta in updates released earlier this year. Users should ensure they are running WhatsApp versions at or above 2.3000.1032164386.258709 on Windows, 2.26.15.72 on iOS, and 2.26.7.10 on Android. No additional mitigation is required as the issues are resolved in these official updates.
Technical Details
- Article Source
- {"url":"https://www.securityweek.com/whatsapp-discloses-file-spoofing-arbitrary-url-scheme-vulnerabilities/","fetched":true,"fetchedAt":"2026-05-05T09:06:22.842Z","wordCount":930}
Threat ID: 69f9b30ecbff5d8610e1246e
Added to database: 5/5/2026, 9:06:22 AM
Last enriched: 5/5/2026, 9:06:30 AM
Last updated: 5/5/2026, 10:13:18 AM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.