Security researchers have identified two critical software vulnerabilities in WhatsApp that could potentially be exploited by cybercriminals. One vulnerability pertains to the handling of media files and attachments, while the other specifically affects Windows users of the messaging platform.
Although these vulnerabilities do not automatically infect devices, they could be leveraged by cyber attackers for social engineering tactics or in conjunction with other vulnerabilities to launch more severe threats. Malwarebytes experts cautioned that a malicious message could deceive a device into opening content from an untrusted source.
The flaws, known as CVE-2026-23866 and CVE-2026-23863, were uncovered through Meta’s Bug Bounty program. While there is currently no evidence of real-world attacks exploiting these vulnerabilities or infecting phones, WhatsApp emphasized that it has not observed any exploitation in practice.
In response to the potential risks, WhatsApp, owned by Meta, has issued an update and strongly advises users to review their settings. To safeguard their devices, users should ensure they have the latest version of WhatsApp installed.
For Android users, updating WhatsApp is as simple as accessing the Google Play Store, searching for WhatsApp Messenger, and selecting “Update.” iPhone users can similarly update the app by navigating to the App Store, locating WhatsApp under their profile, and choosing “Update.”
Following the installation of the update, devices will be shielded from possible future attacks. Additionally, users of older Android devices should be aware that WhatsApp plans to discontinue support for devices running versions older than Android 6 starting from September 8, 2026. Affected users may receive a notification indicating that WhatsApp will cease to function on their devices.
Despite this potential disruption, the majority of users are unlikely to be impacted, considering that Android 6, launched in 2015, is now seldom found on modern smartphones.