Meta Patches WhatsApp Vulnerabilities, Enhances Encrypted Backup Security
Meta has patched two medium-impact vulnerabilities in WhatsApp while simultaneously upgrading the cryptographic transparency of its end-to-end encrypted backup infrastructure.
Meta has disclosed two medium-impact vulnerabilities affecting WhatsApp, alongside a separate update to the security infrastructure governing the platform's end-to-end encrypted backups. The vulnerabilities, which were identified through Meta’s bug bounty program, have been addressed in recent software updates, and the company reports no evidence of exploitation in the wild SecurityWeek.
The first vulnerability, tracked as CVE-2026-23863, is an attachment spoofing flaw affecting WhatsApp for Windows versions prior to 2.3000.1032164386.258709. According to the advisory, an attacker could exploit this by crafting a document with embedded NUL bytes in the filename. While the file appears harmless to the recipient, the NUL byte manipulation causes the system to execute the file as a program when opened SecurityWeek.
The second issue, CVE-2026-23866, impacts WhatsApp for iOS (versions 2.25.8.0 through 2.26.15.72) and WhatsApp for Android (versions 2.25.8.0 through 2.26.7.10). This vulnerability stems from incomplete validation of AI-generated rich response messages related to Instagram Reels. This flaw could allow an attacker to force a user's device to process media content from an arbitrary URL, potentially triggering OS-controlled custom URL scheme handlers. Such an exploit could theoretically be used to redirect users to phishing sites or launch other applications on the device, such as `facetime:`, `tel:`, or other deep-link services SecurityWeek.
In a separate development, Meta announced enhancements to its Backup Key Vault, which secures end-to-end encrypted backups for WhatsApp and Messenger. The system uses hardware security modules (HSMs) to store recovery codes, ensuring that neither Meta nor third-party cloud providers can access user data. The updated infrastructure introduces over-the-air fleet key distribution for Messenger, which utilizes validation bundles signed by Cloudflare and counter-signed by Meta to ensure cryptographic authenticity Help Net Security.
Meta is also increasing transparency regarding these HSM deployments. The company has committed to publishing evidence of secure fleet deployments, allowing users to verify the integrity of the system using the open-source `mbt` CLI tool. This tool validates artifacts against a binary transparency log, using Cloudflare’s Ed25519 public key as a trust anchor to verify SHA-256 digests and signatures Help Net Security.
These disclosures highlight the ongoing challenge of securing complex messaging platforms against both application-level flaws and infrastructure-level risks. While the identified vulnerabilities in the WhatsApp client have been patched, the simultaneous push for greater transparency in backup security reflects a broader industry trend toward verifiable, cryptographically sound cloud storage models. Users are encouraged to ensure their applications are updated to the latest versions to mitigate the risks posed by the now-patched spoofing and URL scheme vulnerabilities SecurityWeek · Help Net Security.