Security researchers have identified two critical vulnerabilities in WhatsApp that could potentially expose users to cyber threats. These flaws, labeled as CVE-2026-23866 and CVE-2026-23863, were discovered through Meta’s Bug Bounty program. Although there have been no reported instances of these vulnerabilities being exploited in real-world attacks, experts caution that they could be used by cybercriminals for malicious purposes.
Malwarebytes experts have highlighted the risks associated with these vulnerabilities, noting that they could facilitate social engineering attacks or be combined with other security loopholes to create more severe threats. Specifically, the vulnerabilities affect how media files and attachments are processed within the messaging platform, as well as posing a specific risk to Windows users of WhatsApp.
WhatsApp has responded to these findings by releasing an update to address the vulnerabilities. Users are strongly advised to ensure that they have the latest version of the app installed and review their security settings. This proactive approach is crucial in safeguarding devices against potential exploitation of these vulnerabilities.
To protect themselves, Android users can update WhatsApp through the Google Play Store by searching for WhatsApp Messenger and selecting “Update.” Similarly, iPhone users should open the App Store, locate WhatsApp in their profile, and choose the “Update” option. By completing these updates, users can mitigate the risk of falling victim to any future security threats associated with the identified vulnerabilities.
In a related development, older Android devices running versions prior to Android 6 may soon lose access to WhatsApp, as the messaging platform plans to discontinue support for these devices from September 8, 2026. Affected users may receive notifications informing them that WhatsApp will no longer be functional on their devices. However, this change is unlikely to impact a significant number of users, as Android 6 was released in 2015 and is now outdated on most modern smartphones.