CVE-2026-23863
WhatsApp for Windows Attachment Spoofing via NUL Byte Filename
Publication date: 2026-05-01
Last updated on: 2026-05-01
Assigner: Facebook, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| to 2.3000.1032164386.258709 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-158 | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes NUL characters or null bytes when they are sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an attachment spoofing issue in WhatsApp for Windows versions prior to v2.3000.1032164386.258709. It involves maliciously formatted documents that contain embedded NUL bytes in their filenames. These files can appear as one type of file within the application but actually execute as a different type, specifically as an executable, when opened.
How can this vulnerability impact me? :
The impact of this vulnerability is that a user could be tricked into opening a file that looks harmless but actually runs executable code. This could lead to the execution of malicious software on the user's system, potentially compromising security, privacy, or system integrity.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update WhatsApp for Windows to version 2.3000.1032164386.258709 or later, as the issue is fixed in these versions.