TWO flaws in WhatsApp have been patched by Meta, which says there is no evidence these bugs have been exploited in the wild. The vulnerabilities could be abused to interfere with how media and attachments are handled on your device, though they do not automatically infect devices and could be chained with other flaws for more serious attacks.
The first issue, CVE‑2026‑23866, affects how WhatsApp processes AI‑generated “rich response messages” that embed Instagram Reels and, on affected iOS and Android versions, incomplete validation could cause the app to load media from an attacker‑controlled URL, sometimes triggering OS‑level custom URL scheme handlers.
The second bug, CVE‑2026‑23863, affects WhatsApp for Windows before version 2.3000.1032164386.258709 and relates to filenames containing embedded NUL bytes, which could make a file appear harmless while being treated as an executable when opened. Users are advised to update WhatsApp from the Google Play Store for Android or via the Microsoft Store for Windows, with the Windows path noting that you should check the exact version and update if necessary.