Use WhatsApp? You should download the update right away.
Unfortunately, it's not because Meta has packed the app with some exciting new features or a beautiful new design, it's because of a pair of dangerous flaws found in the software. Meta just released a security advisory that confirms two separate flaws were discovered in the popular messaging app used by 2 billion people worldwide.
"We strongly encourage all users to ensure they keep their WhatsApp up-to-date from their respective app stores and update their mobile operating systems whenever updates are available," the developers behind WhatsApp advise.
These vulnerabilities won’t automatically infect your smartphone or PC on their own. However, the loopholes in the software could make it easier for scammers to use social engineering tactics to trick you into revealing sensitive information, including login credentials, banking details, and other personal data.
The flaws could be combined with other security holes to cause more serious problems down the line.
The first WhatsApp flaw involves the way WhatsApp processes Artificial Intelligence (AI)-generated “rich response messages” — enhanced messages that can include embedded content such as Instagram Reels previews
|UNSPLASH
The first vulnerability, tracked as CVE-2026-23866, affects both iPhone and Android users. The flaw involves the way WhatsApp processes Artificial Intelligence (AI)-generated “rich response messages” — enhanced messages that can include embedded content such as Instagram Reels previews.
Cybersecurity researchers warn that attackers could potentially exploit this feature to send malicious content disguised as legitimate media. The messaging platform doesn't properly check these messages before loading them. So if someone sends you a specially crafted message, it could force your phone to fetch content from a dodgy URL controlled by an attacker.
In some cases, this might even trigger your phone's built-in URL handlers at the operating system level. Essentially, a booby-trapped message could make your device open content from an untrusted source without you realising.
The second WhatsApp security flaw can impact Windows devices
| UNSPLASHThe second flaw, CVE202623863, targets WhatsApp for Windows devices specifically.
The problem lies in how your desktop app handles filenames containing something called NUL bytes. These are hidden characters that can mess with how your computer reads a file's name. For example, a file might look like an innocent PDF in your chat window, but when you click to open it, your computer will install it as a programme instead. It's the classic "click the document" trick that ends up installing malware on your device.
LATEST DEVELOPMENTS
- Best VPN deals
- Popular Freely TV box returns to Amazon after weeks of being sold out online
- Traditional landlines to be turned off for another 1.69 million homes in UK
- Google is killing off free tool to check if hackers know your email
- Freely strikes deal with Roku to bring Freeview replacement to more TVs
While no cyber criminal has been found exploiting these bugs yet, the longer you wait to update, the higher the likelihood you could fall victim to an attempt.
To protect yourself from both of these flaws, you'll want to install the latest version of WhatsApp immediately.
On Android, pop into the Google Play Store, search for WhatsApp Messenger, and tap Update.
If you have an iPhone, you'll want to head to the App Store, tap your profile icon, and scroll down to find WhatsApp's update button. For Windows users, you'll need to open the Microsoft Store, click Library in the bottom-left corner, find WhatsApp Desktop, and hit Update.