Skip to main content

Microsoft CVE-2026-23863

| EUVDEUVD-2026-26665 MEDIUM
Improper Neutralization of Null Byte or NUL Character (CWE-158)
2026-05-01 cve-assign@fb.com
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

7
Patch released
May 04, 2026 - 15:21 nvd
Patch available
Analysis Generated
May 01, 2026 - 19:00 vuln.today
CVSS changed
May 01, 2026 - 17:22 NVD
6.5 (MEDIUM)
Patch available
May 01, 2026 - 17:03 EUVD
EUVD ID Assigned
May 01, 2026 - 16:22 euvd
EUVD-2026-26665
Analysis Generated
May 01, 2026 - 16:22 vuln.today
CVE Published
May 01, 2026 - 16:16 nvd
MEDIUM 6.5

DescriptionCVE.org

An attachment spoofing issue in WhatsApp for Windows prior to v2.3000.1032164386.258709 could have allowed maliciously formatted documents with embedded NUL bytes in the filename to be shown in the application as one type of file but run as an executable when opened.

AnalysisAI

WhatsApp for Windows prior to v2.3000.1032164386.258709 permits attachment spoofing via maliciously formatted documents with embedded NUL bytes in filenames, causing the application to display files as benign types while executing them as executables upon opening. The vulnerability requires user interaction to open a crafted attachment delivered over the network, enabling an attacker to achieve code execution with the privileges of the WhatsApp process. No public exploit code or active exploitation has been confirmed at time of analysis.

Share

CVE-2026-23863 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy