CVE-2021-41861
Description
The Telegram application 7.5.0 through 7.8.0 for Android does not properly implement image self-destruction, a different vulnerability than CVE-2019-16248. After approximately two to four uses of the self-destruct feature, there is a misleading UI indication that an image was deleted (on both the sender and recipient sides). The images are still present in the /Storage/Emulated/0/Telegram/Telegram Image/ directory.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Telegram Android 7.5.0-7.8.0 fails to delete images after self-destruct, leaving them accessible in storage.
Vulnerability
The Telegram application for Android versions 7.5.0 through 7.8.0 implements an image self-destruct feature that fails to actually delete images from device storage. After approximately two to four uses of the self-destruct feature, the user interface misleadingly indicates that the image was deleted on both sender and recipient sides, but the images remain in the /Storage/Emulated/0/Telegram/Telegram Image/ directory [1][2]. The bug is separate from CVE-2019-16248 [1].
Exploitation
An attacker requires physical or remote access to the device's file system (e.g., via a malicious app or forensic tools) to retrieve the allegedly deleted images. The user repeatedly uses the self-destruct feature, and after 2-4 uses, the images persist despite the UI showing deletion. No special privileges or user interaction beyond normal use of the feature is needed [1][2].
Impact
Successful exploitation allows an attacker to recover images that the user believed were permanently deleted. This undermines the confidentiality of the self-destruct feature, potentially exposing sensitive or private images stored on the device [1][2]. The impact is limited to local file access; remote exploitation is not described.
Mitigation
As of the publication date (2021-10-04), no official fix has been confirmed by the vendor. The affected versions are Telegram Android 7.5.0 through 7.8.0. Users should update to a version beyond 7.8.0 if available [3][4]. Workarounds include avoiding reliance on the self-destruct feature for sensitive images and manually deleting images from the file system. The CVE is not listed in KEV [1][2].
- Конфиденциальность пользователей Telegram снова нарушена. Представители мессенджера требуют не раскрывать подробностей
- Конфиденциальность пользователей Telegram снова нарушена. Представители мессенджера требуют не раскрывать подробностей
- Автоудаление, виджеты и временные ссылки для приглашений
- Version history
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Telegram/Telegram applicationdescription
- Range: 7.5.0 - 7.8.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- desktop.telegram.org/changelogmitrex_refsource_MISC
- habr.com/ru/post/580582/mitrex_refsource_MISC
- pikabu.ru/story/konfidentsialnost_polzovateley_telegram_snova_narushena_predstaviteli_messendzhera_trebuyut_ne_raskryivat_podrobnostey_8511495mitrex_refsource_MISC
- telegram.org/blog/autodelete-inv2/rumitrex_refsource_MISC
News mentions
0No linked articles in our index yet.