WhatsApp users on Windows, iPhone, and Android should confirm they are running the latest version of the messaging app after Meta disclosed and patched two security flaws in a 2026 advisory, one of which can disguise a malicious program as a harmless document. Security firm Malwarebytes urged the app's roughly 3 billion users to update on May 5, 2026, and the patched builds Meta named remain the recommended versions today. If your WhatsApp is older than those builds, an attacker who sends you a crafted message or attachment could trick you into opening content you believe is safe.
Both bugs are rated medium severity, and Meta states in its advisory that it has "not seen evidence of exploitation in the wild" for either one. That makes this a maintenance update rather than an emergency, but the protective action is the same: install the patched version and turn on automatic updates so the next fix arrives without a manual check.
Windows Bug Disguises an Executable as a Document
The more serious of the two flaws, tracked as CVE-2026-23863, affects WhatsApp for Windows before version 2.3000.1032164386.258709. Meta describes it as an "attachment spoofing issue" in which a maliciously formatted file with an embedded NUL byte in its name "could have allowed maliciously formatted documents with embedded NUL bytes in the filename to be shown in the application as one type of file but run as an executable when opened."
The U.S. National Vulnerability Database lists the bug with a CVSS base score of 6.5, assigned by Meta as the reporting authority. The score's vector confirms two facts that shape the real-world risk: the flaw requires user interaction, so it cannot run on its own, but its impact on file integrity is rated high, meaning a successful trick results in code execution rather than a mere information leak. In plain terms, nothing happens until the recipient double-clicks the attachment, and when they do, the wrong program runs.
How a NUL Byte Hides an .exe Behind a Document Name
The Windows flaw turns on a decades-old mismatch in how software reads text. In many programming languages, the NUL byte — an invisible control character represented as a single zero value — marks the end of a string. WhatsApp's interface honors that convention and stops reading a filename at the NUL byte, so an attachment named to look like an innocent document displays exactly that way to the recipient. The underlying Windows file-handling logic does not stop there; it reads the full name, including the real executable extension hidden after the NUL byte, and launches the file accordingly.
The result is a presentation layer that disagrees with the execution layer. The name the user sees is not the name the operating system acts on. MITRE catalogs this weakness class as improper neutralization of a NUL character, or CWE-158, and the same logic underpins a long line of file-validation bypasses across the software industry. Malwarebytes summarized the practical effect bluntly: "that's a classic recipe for social engineering: 'click the PDF,' but get an .exe file."
This is the second WhatsApp for Windows spoofing flaw of its kind in roughly a year. In 2025, Meta patched a separate Windows attachment bug, CVE-2025-30401, in which a mismatch between a file's displayed type and the handler that opened it could likewise cause a recipient to run an executable disguised as a document. The new NUL-byte variant reaches the same outcome through a different trick, which is why the fix is a client-side change to how WhatsApp parses filenames rather than anything a user can configure.
Reels Preview Bug Can Load Media From an Attacker's URL
The second flaw, CVE-2026-23866, lives on phones. It concerns how WhatsApp processes AI-generated "rich response messages" that embed Instagram Reels. According to Meta's advisory, incomplete validation of those messages "could have allowed a user to trigger processing of media content from an arbitrary URL on another user's device, including triggering OS-controlled custom URL scheme handlers."
Mechanically, the preview that should pull a Reel from a trusted source can instead be pointed at an attacker-controlled web address. Because the flaw can reach the operating system's custom URL scheme handlers — the routing layer that decides which app opens a link such as one beginning with tel: or a third-party app's own scheme — a booby-trapped message could prompt a device to open content, or an app, the sender never should have been able to invoke. Malwarebytes described it as a message that could "prompt your device to open content from an untrusted source." The advisory specifies the affected releases: WhatsApp for iOS from version 2.25.8.0 through 2.26.15.72, and WhatsApp for Android from version 2.25.8.0 through 2.26.7.10. Releases newer than those ranges already contain the fix.
Read more: WhatsApp Security Flaw Exposes 3.5 Billion Users' Data From 'Basic Publicly Available Information'
How Do You Check Your WhatsApp Version and Update It?
For most people the fix arrives automatically, but app-store rollouts are staggered by region, so a manual check is worth a minute.
On Windows, open your version number by clicking your profile picture and selecting Help and feedback. If the number is earlier than 2.3000.1032164386.258709, update through the Microsoft Store: open the Store, click Library in the lower-left corner, find WhatsApp Desktop, and click Get Updates or Update, then restart the app. Enabling automatic app updates in the Microsoft Store settings keeps the desktop client current without further checks.
On Android, update through the Google Play Store by opening the Play Store, searching for WhatsApp Messenger, and tapping Update. Malwarebytes cautions that updates may not appear in every region at once. On iPhone, open the App Store, tap your profile icon, scroll to WhatsApp, and tap Update; if the app is not listed, searching for it shows whether an update is available. Meta also advises keeping the mobile operating system current, since the Reels-preview flaw can reach OS-level URL handlers.
Why a Month-Old Advisory Still Matters
Both flaws share a single tactic: they manipulate what the user sees so a dangerous action looks safe. The Windows bug dresses an executable in a document's name; the Reels-preview bug dresses an attacker's web address as a trusted media preview. Neither is a zero-click compromise — each depends on the recipient interacting with a crafted message or attachment, which is why researchers frame the risk as social engineering rather than automatic infection. It also means the only variable left is whether a given user has installed the patch.
The advisory surfaced about a month before the start of June 2026, and no newer WhatsApp advisory has superseded the versions Meta named, so the patched builds remain the current benchmark. The disclosure also follows a far larger WhatsApp episode in November 2025, when researchers showed the app's contact-discovery system could be abused to enumerate data tied to 3.5 billion accounts. The two 2026 flaws are narrower and were closed quietly through Meta's bug bounty program before any public evidence of abuse, but they reinforce the same baseline habit: run the current version, enable automatic updates, and treat unexpected attachments and links with caution even when they come from a known contact.
Frequently Asked Questions
Is WhatsApp safe to use right now?
Yes, provided you are running a patched version. Meta has already fixed both flaws and says neither has been exploited in the wild, so the remaining risk falls only on users who have not yet updated to the builds named in the advisory.
What versions of WhatsApp are affected by the new flaws?
The Windows attachment flaw affects WhatsApp for Windows before version 2.3000.1032164386.258709. The Instagram Reels preview flaw affects WhatsApp for iOS versions 2.25.8.0 through 2.26.15.72 and WhatsApp for Android versions 2.25.8.0 through 2.26.7.10.
How do I update WhatsApp on my phone?
On Android, open the Google Play Store, search for WhatsApp Messenger, and tap Update. On iPhone, open the App Store, tap your profile icon, scroll to WhatsApp, and tap Update. Turning on automatic updates installs future patches without a manual check.
Were WhatsApp users actually hacked by these bugs?
There is no evidence of real-world exploitation. Meta states in its advisory that it has not seen either flaw used in an attack, and both were reported privately by outside researchers through the company's bug bounty program rather than discovered after an incident.
ⓒ 2026 TECHTIMES.com All rights reserved. Do not reproduce without permission.
