If you use WhatsApp on Windows, here is something worth knowing: until recently, an attacker could send you what looked like a harmless document — a PDF, an invoice, a document, or anything — and the moment you opened it, your machine would execute it as a program. Meta has now patched that flaw, along with a second vulnerability tied to WhatsApp's AI integration with Instagram Reels.
Meta disclosed both issues through its official security advisories this week. Neither has been observed in the wild to be exploited, and fixes are already live — but the mechanics of both bugs are worth understanding.
The Windows Attachment Trick
CVE-2026-23863 is a file spoofing vulnerability affecting WhatsApp for Windows versions prior to v2.3000.1032164386.258709. The attacker embeds NUL bytes (null characters invisible to the user interface) inside a file's name.
WhatsApp's Windows client would render the file as a benign document type — say, a .pdf — while the operating system would read past the NUL byte and execute it as something else entirely, such as an .exe. It is a deceptive technique that has existed in some form for decades and remains effective when applications fail to properly sanitise filenames.
The Instagram Reels AI Angle
The second flaw, CVE-2026-23866, sits on a less obvious attack surface: WhatsApp's handling of AI-generated rich response messages for Instagram Reels. Due to incomplete validation, a malicious actor could cause a target device to load media from an arbitrary URL—and, more critically, invoke OS-level custom URL scheme handlers.
On iOS and Android, custom URL schemes (facetime:, tel:, itms-apps:, or third-party app deep links) can be weaponized to redirect users to phishing pages, silently open apps, or probe installed software. The flaw affected WhatsApp for iOS v2.25.8.0 through v2.26.15.72 and Android v2.25.8.0 through v2.26.7.10.
Both vulnerabilities were responsibly disclosed by anonymous external researchers through Meta's bug bounty programme.
Update WhatsApp immediately, on every platform you use it. On Windows, confirm you are running v2.3000.1032164386.258709 or later. On mobile, any version above v2.26.15.72 (iOS) or v2.26.7.10 (Android) is patched.
The broader takeaway: as messaging apps deepen integration with AI features and cross-platform content — like Reels previews inside WhatsApp — the attack surface expands in ways that are not always obvious. Meta caught these before threat actors could, but the window between discovery and disclosure is rarely zero.