Security researchers have identified two critical vulnerabilities in WhatsApp that could potentially be exploited by cybercriminals. The flaws impact how media files and attachments are handled within the messaging service, as well as posing a risk to Windows users of the app.
Although these vulnerabilities do not automatically infect devices, they create opportunities for social engineering attacks or could be combined with other weaknesses for more severe threats. Malwarebytes experts have cautioned that a malicious message could deceive a device into opening content from an untrusted source.
The vulnerabilities, known as CVE-2026-23866 and CVE-2026-23863, were uncovered through Meta’s Bug Bounty program. While there is no evidence of real-world exploitation or phone infections, WhatsApp has released an update, urging users to review their settings promptly.
To safeguard against potential risks, users are advised to ensure their WhatsApp application is fully updated on their devices. Android users can update the app through the Google Play Store by searching for WhatsApp Messenger and selecting “Update.” iPhone users should access the App Store, navigate to WhatsApp in their profile, and choose “Update.”
By updating to the latest version, users can protect their devices from possible future attacks. Additionally, WhatsApp users with older Android devices may face restrictions as the app plans to discontinue support for versions older than Android 6 starting September 8, 2026. Affected users may receive a notification informing them that WhatsApp will no longer function on their devices later in the year.
While this change may impact some users, Android 6 was launched in 2015 and is no longer widely used on modern smartphones. It is crucial for WhatsApp users to stay vigilant, keep their app updated, and follow any further announcements from the company to enhance their cybersecurity posture.