Overview
- WhatsApp published security advisories detailing two medium-severity CVEs and said the fixes are already available for Windows, iOS, and Android.
- CVE-2026-23863 on Windows let a file with embedded NUL bytes look like a harmless document while running as an executable, affecting versions before 2.3000.1032164386.258709.
- CVE-2026-23866 on mobile stemmed from incomplete checks on AI “rich response” Instagram Reels, which could load media from attacker URLs and trigger operating system custom URL handlers on iOS 2.25.8.0–2.26.15.72 and Android 2.25.8.0–2.26.7.10.
- Meta says unnamed researchers reported both bugs through its bug bounty program, and the company reports no evidence of exploitation in the wild.
- Users should update WhatsApp on all devices because these flaws lower the bar for social engineering and could be paired with other bugs to redirect people to phishing pages or launch other apps.