It’s a mystery … alleged unpatched Telegram zero-day allows device takeover, but Telegram denies

AndyC 31 March 2026

Insights

It’s a mystery … alleged unpatched Telegram zero-day allows device takeover, but Telegram denies

It’s a mystery … alleged unpatched Telegram zero-day allows device takeover, but Telegram denies

It’s a mystery … alleged unpatched Telegram zero-day allows device takeover, but Telegram denies

Pierluigi Paganini
March 30, 2026

A critical Telegram flaw could allow zero-click remote code execution on devices, but Telegram denies it.

Researcher Michael DePlante (@izobashi) of TrendAI Zero Day disclosed a new Telegram vulnerability through Zero Day Initiative (ZDI).

The vulnerability, tracked as ZDI-CAN-30207 (CVSS score of 9.8) allows attackers to execute code on targeted devices without any user interaction. This vulnerability is especially dangerous because an attacker can exploit it simply by sending a malicious animated sticker, with no action required from the victim. The vulnerability lies in how Telegram automatically processes media to generate previews, allowing crafted files to trigger code execution.

The flaw poses a serious security risk, especially as no patch is currently available, raising concerns across the cybersecurity community.

The vulnerability affects Telegram on Android and Linux; if exploited, it allows attackers to take full control of a device.

At this time it is unclear if threat actors have already exploited it in attacks in the wild.

The Zero Day Initiative did not disclose technical details about the vulnerability to give the company time to address it by July 24, 2026.

The Italian National Cybersecurity Agency (ACN) reported that Telegram has denied the disclosed zero-click vulnerability, stating it does not exist. The company says all stickers are validated server-side before delivery, preventing malicious files from being used as an attack vector and making code execution via stickers technically impossible.

“Following direct discussions, Telegram Messenger has formally denied the existence of the previously reported zero-click vulnerability, stating that the flaw does not exist. The vendor claims that every sticker uploaded to the platform undergoes mandatory validation on its servers before being distributed to client applications.” reads an update published on the ACN’s advisory. “According to this official position, the centralized filtering process prevents corrupted stickers from being used as an attack vector, making it technically impossible to execute malicious code through this method.”

As a mitigation measure, Telegram Business users can limit incoming messages from new contacts. In Settings → Privacy and Security → Messages, they can restrict messages to saved contacts or Premium users only.

Exploits targeting popular platforms like Telegram can be worth millions on underground markets, and threat actors can quickly weaponize them.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, zero-day)

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts

Tags: , , , , , , , , , , , , , , , , , ,

What do you feel about this?

More Stories

China-Linked groups target Southeast Asian government with advanced malware in 2025

China-Linked groups target Southeast Asian government with advanced malware in 2025

AndyC 31 March 2026
HIBP Mega Update: Passkeys, k-Anonymity Searches, Massive Speed Enhancements and a Bulk Domain Verification API

HIBP Mega Update: Passkeys, k-Anonymity Searches, Massive Speed Enhancements and a Bulk Domain Verification API

AndyC 31 March 2026
Enterprise AI Security & Governance Roadmap (2026 CISO Strategy)

Enterprise AI Security & Governance Roadmap (2026 CISO Strategy)

AndyC 31 March 2026
Critical Fortinet FortiClient EMS flaw exploited for Remote Code Execution

Critical Fortinet FortiClient EMS flaw exploited for Remote Code Execution

AndyC 31 March 2026
New macOS Infinity Stealer uses Nuitka Python payload and ClickFix

New macOS Infinity Stealer uses Nuitka Python payload and ClickFix

AndyC 31 March 2026
7 tabletop exercise scenarios every cybersecurity team should practice in 2026

Russia-linked APT TA446 uses DarkSword exploit to target iPhone users in phishing wave

AndyC 31 March 2026

You may have missed

The AI Exchange: Innovators in Payment Security Featuring Flywire

The AI Exchange: Innovators in Payment Security Featuring Flywire

AndyC 31 March 2026
China-Linked groups target Southeast Asian government with advanced malware in 2025

China-Linked groups target Southeast Asian government with advanced malware in 2025

AndyC 31 March 2026
It’s a mystery … alleged unpatched Telegram zero-day allows device takeover, but Telegram denies

It’s a mystery … alleged unpatched Telegram zero-day allows device takeover, but Telegram denies

AndyC 31 March 2026
HIBP Mega Update: Passkeys, k-Anonymity Searches, Massive Speed Enhancements and a Bulk Domain Verification API

HIBP Mega Update: Passkeys, k-Anonymity Searches, Massive Speed Enhancements and a Bulk Domain Verification API

AndyC 31 March 2026
7 tabletop exercise scenarios every cybersecurity team should practice in 2026

Breach Readiness in the Age of Mythos: When Your AI Thinks, Learns, and Defends

AndyC 31 March 2026

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.