Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Medium

Attachment spoofing in WhatsApp for Windows

IdentifiersCVE-2026-23863CWE-436

CVE-2026-23863 is an attachment spoofing vulnerability in WhatsApp for Windows affecting versions prior to 2.3000.1032164386.258709. The issue is caused by improper handling of attachment filenames containing embedded NUL bytes. A maliciously crafted file can be presented within the WhatsApp client as a benign document or image based on the displayed filename or apparent type, while the underlying file is actually an executable that runs when the user opens it. In practice, this creates a discrepancy between how the application represents the attachment to the user and how the file is ultimately interpreted and executed by the operating system.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation could mislead a user into opening what appears to be a harmless attachment, resulting in execution of an attacker-supplied executable on the victim Windows system. The primary impact is malware delivery and arbitrary code execution in the security context of the user who opens the file, with likely follow-on risks including compromise of user data, persistence, lateral movement, or additional payload delivery depending on the executed program.

Mitigation

If you can’t patch tonight, do this now.

Until patching is complete, reduce exposure by blocking or tightly controlling receipt and opening of unsolicited WhatsApp attachments on Windows endpoints, especially files that appear to be documents or images from untrusted or unexpected senders. Apply application control policies to restrict execution of untrusted binaries, use endpoint protection to inspect downloaded attachments, and educate users that attachments received through trusted messaging platforms may still be malicious even if they appear benign in the client UI.

Remediation

Patch, then assume compromise.

Upgrade WhatsApp for Windows to version 2.3000.1032164386.258709 or later, which contains Meta's fix for the attachment spoofing issue. Ensure updates are obtained through official distribution channels such as the Microsoft Store or other official WhatsApp release mechanisms. Organizations should verify deployed Windows clients are running a patched version and enforce timely application updates.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
Meta PlatformsWhatsappapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity3

Community discussion across Reddit, Mastodon, and other social sources.