New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
Don’t be lazzy, add hand written tl;tr summary, not just dry links.
Tldr from the second link.
A critical security flaw has been unearthed in Telegram, the world’s leading encrypted messaging platform, drawing significant attention within the cybersecurity community.. Discovered by Michael DePlante (@izobashi) of the Trend Micro Zero Day Initiative (ZDI), the vulnerability—tracked as ZDI-CAN-30207—has been assigned a severity score of 9.8 on the CVSS scale.
Reported to Telegram on March 26, 2026, the flaw represents a “worst-case scenario” for digital privacy, as it allows for remote, unauthenticated exploitation without any user interaction.
The vulnerability’s technical vector—AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H—puts more than one billion active users of the platform at risk:
Network (AV:N): The attack can be launched remotely over the internet.
Low Complexity (AC:L): No specialized conditions or complex bypasses are required to trigger the flaw.
No Privileges (PR:N): The attacker does not need an account or special permissions on the target system.
No User Interaction (UI:N): This is a zero-click vulnerability. A victim does not need to click a link, open a file, or even be active on the app for their system to be compromised.
High Impact (C:H/I:H/A:H): A successful exploit grants total control, allowing attackers to steal data (Confidentiality), modify system files (Integrity), and crash services (Availability).
The exact technical details remain under wraps to prevent immediate exploitation. According to the ZDI’s upcoming advisory portal, the public disclosure date is set for July 24, 2026. This gives the vendor a four-month window to develop and deploy a patch before the full mechanics of the bug are revealed to the public.
Historically, vulnerabilities in messaging apps have been highly sought after by state-sponsored actors and mercenary “spyware” groups for high-value targeting. Given the 9.8 severity rating, ZDI-CAN-30207 likely involves a fundamental flaw in how the application handles incoming data, such as media files or automated bot requests.
Until a formal patch is released, security experts recommend the following:
Enable Automatic Updates: Ensure your Telegram client (Desktop, iOS, and Android) is set to update automatically.
Limit Contact: Restrict who can send you messages and files in the Privacy and Security settings.
Monitor Official Channels: Watch for an “Emergency Security Update” notification from Telegram.
Update:
A Telegram spokesperson told us: “This flaw does not exist. This researcher falsely claims that a corrupted Telegram sticker could be used as an attack vector — which completely disregards that all stickers uploaded to Telegram are validated by its servers before they can be played by Telegram apps.”
from the article
Telegram is not E2EE so what are they smoking?
ssl encryption
SSL 3.0 bestest secure encryption no government will have access to my private cat sticker collection.
russian tech is flawed by design
I agree, this annoys me too.
That's what AI is for.
I don't have time, if you're interested, click the links and read them, everyone else can move on...
It's "read the links and click them", I think.