CVE-2026-23863 | THREATINT

Description

An attachment spoofing issue in WhatsApp for Windows prior to v2.3000.1032164386.258709 could have allowed maliciously formatted documents with embedded NUL bytes in the filename to be shown in the application as one type of file but run as an executable when opened. We have not seen evidence of exploitation in the wild.

PUBLISHED Reserved 2026-01-16 | Published 2026-05-01 | Updated 2026-05-01 | Assigner Meta

MEDIUM: 6.5CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N/E:F/RL:O/RC:C

Problem types

Improper Neutralization of Null Byte or NUL Character (CWE-158)

Product status

Default status

unaffected

2.3000.*.252500 (custom) before 2.3000.1032164386.258709

affected

References

www.facebook.com/security/advisories/cve-2026-23863

www.whatsapp.com/security/advisories/2026

cve.org (CVE-2026-23863)

nvd.nist.gov (CVE-2026-23863)

Download JSON