Advisory ID: ngCERT-2026-050005
SUMMARY
A vulnerability has been identified in WhatsApp on iOS, Android, and Windows involving the processing of rich media responses linked to Instagram Reels content and dubbed as CVE-2026-23866. The vulnerability may allow attackers to manipulate embedded metadata and trigger arbitrary or attacker-controlled URLs. This flaw can be exploited remotely through crafted messages, enabling phishing, malicious redirection, and potential cross-application invocation via unsafe URL handling. The issue increases exposure to social engineering-driven attacks within trusted messaging environments.
DESCRIPTION
The vulnerability CVE-2026-23866 is caused by inadequate validation of AI-generated rich response messages linked to Instagram Reels within WhatsApp. When users receive or interact with such messages, the application fails to properly validate embedded media URLs. This enables attackers to craft malicious content forcing victims’ devices to retrieve and process data from attacker-controlled sources, potentially triggering operating system-level URL scheme handlers without user consent. This vulnerability affects WhatsApp for iOS (v2.25.8.0 – v2.26.15.72) and WhatsApp for Android (v2.25.8.0 – v2.26.7.10). In addition, CVE-2026-23863 affects WhatsApp for Windows (versions prior to v2.3000.1032164386.258709). This is classified as an attachment spoofing vulnerability arising from improper handling of filenames containing embedded null bytes (\x00). This flaw allows attackers to disguise malicious files as legitimate attachments by exploiting differences between application-level and system-level filename interpretation, requiring only minimal user interaction (a single click) and no special privileges to exploit.
Damage: Critical
Probability: Medium
Platform(s): iOS, Android, Windows
CONSEQUENCES
Successful exploitation of the vulnerability could lead to:
- Execution of malicious or unintended URL schemes.
- Unauthorised invocation of system-level applications or services.
- Delivery of phishing content or malware.
- Attachment spoofing, resulting in user deception.
- Potential compromise of sensitive information and device security
SOLUTION/MITIGATION
ngCERT advises the following measures:
- Update WhatsApp for iOS, Androidand Windows to versions later than v2.26.15.72, v2.26.7.10 and 2.3000.1038897100.261501, respectively.
- Apply mobile device management (MDM) policies enforcing mandatory app updates across enterprise environments.
- Monitor network traffic for anomalous URL scheme invocations originating from messaging applications.
- Educate users about risks associated with AI-generated rich media content in messaging platforms.
HYPERLINK
- https://cybersecuritynews.com/android-tv-box-android-vo1d-malware/. Click or tap if you trust this link." data-auth="NotApplicable" data-linkindex="0">https:// www.whatsapp.com/security/advisories/2026
- https://cyberpress.org/whatsapp-flaw-lets-attackers-use-instagram/#google_vignette. Click or tap if you trust this link." data-auth="NotApplicable" data-linkindex="1">https://cyberpress.org/whatsapp-flaw-lets-attackers-use-instagram/#google_vignette
- https://cybersecuritynews.com/whatsapp-vulnerability-leverage-instagram-reels/. Click or tap if you trust this link." data-auth="NotApplicable" data-linkindex="2">https://cybersecuritynews.com/whatsapp-vulnerability-leverage-instagram-reels/