Improper Neutralization of Null Byte or NUL Character

CVE-2026-23863

Medium

6.5/10

Summary

An attachment spoofing issue in WhatsApp for Windows prior to v2.3000.1032164386.258709 could have allowed maliciously formatted documents with embedded NUL bytes in the filename to be shown in the application as one type of file but run as an executable when opened. We have not seen evidence of exploitation in the wild.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: HIGH
Scope: UNCHANGED
User Interaction: REQUIRED
Privileges Required: NONE
Confidentiality Impact: NONE
Availability Impact: NONE

CWE-158 - Improper Neutralization of Null Byte or NUL Character

The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes NUL characters or null bytes when they are sent to a downstream component.

References

Advisory Timeline

Published May 01, 2026

Improper Neutralization of Null Byte or NUL Character

CVE-2026-23863

Summary

CWE-158 - Improper Neutralization of Null Byte or NUL Character

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS