New WhatsApp Flaws Could Affect Billions of Users After Meta Security Patch

WhatsApp patched two security flaws affecting iOS, Android, and Windows: an Android/iOS issue (CVE-2026-23866) where crafted AI-rich response messages and Instagram Reels previews could cause the app to process attacker-controlled media/URLs and invoke OS handlers, enabling phishing or follow-on attacks; and a Windows issue (CVE-2026-23863) where filenames with embedded null bytes could make executables appear as harmless documents, facilitating malware delivery through social engineering. Meta disclosed and fixed both bugs via its bug bounty program and reported no evidence of active exploitation; users and organizations are advised to update clients and treat messaging apps as part of the enterprise attack surface.