CVE-2026-23863 - Vulnerability Details

- WhatsApp Windows Filename Spoofing Leading to Potential Execution of Malicious Payload

Description

An attachment spoofing issue in WhatsApp for Windows prior to v2.3000.1032164386.258709 could have allowed maliciously formatted documents with embedded NUL bytes in the filename to be shown in the application as one type of file but run as an executable when opened. We have not seen evidence of exploitation in the wild.

Published: 2026-05-01

Score: 6.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

WhatsApp for Windows before version 2.3000.1032164386.258709 can display a maliciously crafted document that contains NULL bytes in the filename as one file type, yet run it as an executable when the user opens the attachment. The vulnerability allows an attacker to trick a user into executing arbitrary code by manipulating the file extension presentation. This flaw represents a type confusion error that could lead to loss of confidentiality, integrity, and availability if abused.

Affected Systems

The affected system is the Windows desktop client for WhatsApp. Users running any pre‑v2.3000.1032164386.258709 installation on Windows devices are impacted. No specific hardware or operating version constraints are noted beyond the pre‑specified application version.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate risk level, and the EPSS score is not available, implying uncertain exploitation likelihood. Because the weakness involves file handling, an attacker would need to deliver a crafted attachment that the user opens. The vulnerability is not listed in CISA KEV, and no exploitation evidence has yet been observed in the wild. However, the potential for remote execution remains, especially if users click on convincingly disguised attachments.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Facebook

WhatsApp Desktop for Windows

unaffected

Version	Status	Constraints
`2.3000.*.252500`	affected	< 2.3000.1032164386.258709

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade WhatsApp Desktop for Windows to the latest release (v2.3000.1032164386.258709 or later),
Avoid opening files that appear to be a benign document type but have dissimilar executable extensions until a patch is applied,
Enable Windows User Account Control and ensure file extensions are visible so that users can verify the true file type before opening.

Generated by OpenCVE AI on May 1, 2026 at 22:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00009.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://www.facebook.com/security/advisories/cve-2026-23863
https://www.whatsapp.com/security/advisories/2026

History

Fri, 01 May 2026 23:15:00 +0000

Type	Values Removed	Values Added
Title		WhatsApp Windows Filename Spoofing Leading to Potential Execution of Malicious Payload

Fri, 01 May 2026 18:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-158
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 01 May 2026 16:45:00 +0000

Type	Values Removed	Values Added
Description	An attachment spoofing issue in WhatsApp for Windows prior to v2.3000.1032164386.258709 could have allowed maliciously formatted documents with embedded NUL bytes in the filename to be shown in the application as one type of file but run as an executable when opened.	An attachment spoofing issue in WhatsApp for Windows prior to v2.3000.1032164386.258709 could have allowed maliciously formatted documents with embedded NUL bytes in the filename to be shown in the application as one type of file but run as an executable when opened. We have not seen evidence of exploitation in the wild.
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N/E:F/RL:O/RC:C'}`

Fri, 01 May 2026 16:15:00 +0000

Type	Values Removed	Values Added
Description		An attachment spoofing issue in WhatsApp for Windows prior to v2.3000.1032164386.258709 could have allowed maliciously formatted documents with embedded NUL bytes in the filename to be shown in the application as one type of file but run as an executable when opened.
References		https://www.facebook.com/security/advisories/cve-2026-23863 https://www.whatsapp.com/security/advisories/2026

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: Meta

Published: 2026-05-01T16:01:39.565Z

Updated: 2026-05-01T17:41:14.681Z

Reserved: 2026-01-16T19:49:26.308Z

Link: CVE-2026-23863

Vulnrichment

Updated: 2026-05-01T17:41:10.404Z

NVD

Status : Received

Published: 2026-05-01T16:16:29.843

Modified: 2026-05-01T18:16:14.073

Link: CVE-2026-23863

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-01T23:00:14Z

Weaknesses

CWE-158

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object