WhatsApp patches AI Reels flaw and Windows attachment spoof

WhatsApp shipped a security update for two flaws, one in the Windows app and one in a Meta AI feature on iOS and Android most users didn't know existed. The mobile flaw, CVE-2026-23866, affects a Meta AI feature where users can prompt the AI bot to serve up Instagram Reels inside the WhatsApp chat window. Incomplete validation of those AI-generated rich-response messages let an attacker craft a message that, when the recipient's app processed it, would fetch media from an arbitrary URL, including OS-level custom URL scheme handlers (tel:, facetime:, third-party app deep links). The Windows flaw, CVE-2026-23863, is an attachment spoof: a maliciously formatted filename with embedded NUL bytes was rendered truncated by WhatsApp's UI but executed in full when opened, with the real extension after the NUL byte. Both flaws are rated medium severity (CVSS 6.5). Both were reported through WhatsApp's bug bounty program. Meta says there's no evidence either was exploited in the wild. Sources: https://www.malwarebytes.com/blog/news/2026/05/update-whatsapp-now-two-new-flaws-could-expose-you-to-malicious-files https://www.securityweek.com/whatsapp-discloses-file-spoofing-arbitrary-url-scheme-vulnerabilities/ More on cybersecurity, privacy, scams, and homelab on Hake Hardware. New shorts every weekday. #cybersecurity #whatsapp #metaai