WhatsApp customers: 'Replace instantly' as new bugs might inject 'harmful' information in your gadgets - The Occasions of India

WhatsApp users: 'Update right away' as new bugs could inject 'dangerous' files in your devices

WhatsApp father or mother Meta has printed a brand new safety advisory for the immediate messaging app. WhatsApp Safety Advisories 2026 Updates announce patches for 2 vulnerabilities. WhatsApp has mounted these two safety flaws that the corporate says will be misused to intrude with the way in which media and attachments are dealt with on customers’ gadgets. In accordance with Malwarebytes Labs, although these bugs don’t routinely infect gadgets, however they decrease the barrier for social engineering and could possibly be chained with different vulnerabilities for extra severe assaults.The primary difficulty, tracked as CVE‑2026‑23866, impacts how WhatsApp processes AI‑generated “wealthy response messages” that embed Instagram Reels. On affected iOS and Android variations, incomplete validation means a specifically crafted message might trigger the app to load media from an attacker‑managed URL. In some circumstances, this might set off working system‑degree customized URL scheme handlers. In different phrases: a booby‑trapped message might immediate your system to open content material from an untrusted supply.

What WhatsApp Safety Advisory says on the 2 bugs

CVE-2026-23866: Incomplete validation of AI wealthy response messages for Instagram Reels in WhatsApp for iOS v2.25.8.0 to v2.26.15.72 and WhatsApp for Android v2.25.8.0 to v2.26.7.10 might have allowed a person to set off processing of media content material from an arbitrary URL on one other person’s system, together with triggering OS-controlled customized URL scheme handlers. We’ve got not seen proof of exploitation within the wild.CVE-2026-23863: An attachment spoofing difficulty in WhatsApp for Home windows previous to v2.3000.1032164386.258709 might have allowed maliciously formatted paperwork with embedded NUL bytes within the filename to be proven within the software as one kind of file however run as an executable when opened. We’ve got not seen proof of exploitation within the wild.The acknowledgement of each the bug findings is to exterior researchers by way of Meta Bug Bounty submission.