CRITICAL: Telegram Hit by 9.8-Rated Zero-Click RCE Flaw on Android & Linux
Critical Zero-Click Remote Code Execution Vulnerability Discovered in Telegram Messenger
Related Entities
Organizations
Products & Tech
CVE Identifiers
Full Report
Executive Summary
A critical zero-click remote code execution (RCE) vulnerability has been identified in the Telegram messenger application, posing a severe risk to users on Android and Linux platforms. The flaw, registered by the Zero Day Initiative as ZDI-CAN-30207, carries a CVSS 3.1 score of 9.8 out of 10. Exploitation requires no user interaction beyond the victim receiving a malicious animated sticker. Successful exploitation could allow an attacker to gain complete control over the victim's device and Telegram account. As of March 28, 2026, no patch is available, and information about a working exploit is reportedly being sold, making this a high-urgency threat.
Vulnerability Details
The vulnerability is a zero-click RCE, which is among the most dangerous classes of software flaws because it can be exploited without any action from the victim.
- Identifier:
ZDI-CAN-30207 - CVSS 3.1 Score: 9.8 (Critical)
- Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
Exploitation is achieved by sending a specially crafted animated sticker to a target user. The vulnerability is triggered within the application's media processing library when it attempts to render the malicious sticker. This leads to a memory corruption error, which can be leveraged by an attacker to execute arbitrary code on the victim's device with the privileges of the Telegram application.
Affected Systems
- Telegram for Android: All recent versions are presumed to be affected until a patch is released.
- Telegram for Linux: All recent versions are presumed to be affected until a patch is released.
Other versions of Telegram (e.g., for iOS, Windows, macOS) are not explicitly mentioned as being vulnerable in the reports, but users should remain cautious.
Exploitation Status
The vulnerability was registered with the Zero Day Initiative on March 26, 2026. According to reports circulating within Telegram channels, information about the vulnerability and a working exploit/generator are already being sold on underground markets. This indicates that the flaw may be on the verge of active exploitation, if not already being used in targeted attacks. Full technical details are scheduled for public disclosure after July 24, 2026, under responsible disclosure policies, giving Telegram a window to develop and deploy a fix.
Impact Assessment
A successful exploit would have a devastating impact on a victim's privacy and security. An attacker could gain full control over the Telegram application, allowing them to:
- Read all past and future private and group messages.
- Send messages on the victim's behalf.
- Access the victim's contact list.
- Potentially pivot from the compromised application to gain further access to the underlying device, stealing other sensitive data such as photos, files, and credentials for other services.
Given Telegram's use by journalists, activists, and government officials, this vulnerability poses a significant risk for espionage and targeted surveillance.
Cyber Observables for Detection
Detecting exploitation of a zero-click vulnerability is extremely difficult without access to endpoint or network telemetry. However, organizations can hunt for potential indicators.
| Type | Value | Description | Context | Confidence |
|---|---|---|---|---|
| network_traffic_pattern | Inbound traffic containing animated stickers from unknown/untrusted contacts | A potential delivery vector for the exploit. | Network monitoring, proxy logs. This is low-fidelity but may be the only external sign. | low |
| process_name | telegram-desktop (Linux), org.telegram.messenger (Android) |
Monitor for anomalous child processes, outbound network connections, or crashes related to the Telegram process. | EDR, mobile device management (MDM) logs, endpoint process monitoring. | medium |
| event_id | Application Crash Logs | Frequent or unexplained crashes of the Telegram application could indicate failed exploitation attempts. | Check device-level crash logs (e.g., Android Logcat). | low |
Detection Methods
- Endpoint Monitoring: Use an EDR or Mobile Threat Defense (MTD) solution to monitor the Telegram process for anomalous behavior, such as unexpected network connections, file system access outside of its sandbox, or the spawning of suspicious child processes (e.g., a shell).
- Network Analysis: While traffic is typically encrypted, monitoring for connections from Telegram to unusual IP addresses or domains could be an indicator of compromise post-exploitation. This is difficult but may be possible if the attacker's C2 infrastructure is known. Reference D3FEND technique
D3-NTA - Network Traffic Analysis.
Remediation Steps
As of March 28, 2026, no patch is available.
Immediate Workarounds & Mitigations:
- Disable Auto-Download: In Telegram's "Data and Storage" settings, disable the automatic download of all media types (photos, videos, files) over both mobile data and Wi-Fi. This may reduce the attack surface by preventing the malicious sticker from being processed automatically, though it is not a guaranteed fix.
- Limit Communication: Be extremely cautious about receiving messages, especially media files, from unknown or untrusted contacts.
- Monitor for Updates: Constantly check the Google Play Store or Telegram's official website for a new version of the application and install it immediately once it becomes available.
- Use an Alternative Messenger: For highly sensitive communications, consider temporarily switching to an alternative end-to-end encrypted messenger until a patch is confirmed to be effective.
Once a patch is released, applying it via the official app store is the only effective remediation. Reference D3FEND hardening technique D3-SU - Software Update.
Timeline of Events
MITRE ATT&CK Mitigations
The primary mitigation is to apply the security patch from Telegram as soon as it becomes available.
Mapped D3FEND Techniques:
Operating system sandboxing mechanisms on Android and Linux are designed to limit the impact of a compromised application, preventing it from accessing data outside its designated container.
As a temporary measure, disabling auto-download of media within the app can reduce the attack surface.
D3FEND Defensive Countermeasures
The single most critical action for all Telegram users on Android and Linux is to apply the forthcoming security update immediately upon its release. Given the 9.8 CVSS score and zero-click nature of this vulnerability, there is no effective defense other than patching the underlying flaw in the application's code. Users should enable automatic updates in the Google Play Store or their respective Linux package manager to ensure the patch is applied as soon as it is published by Telegram. For enterprise environments using Mobile Device Management (MDM), administrators must create a policy to enforce the update across all managed devices as a top priority. Until the patch is released, this vulnerability represents an unmitigated risk.
As a temporary, partial mitigation until a patch is available, users should immediately harden their Telegram application settings. Navigate to 'Settings' > 'Data and Storage' and under the 'Automatic media download' section, disable automatic downloads for all media types (Photos, Videos, Files) across all network types (Mobile data, Wi-Fi, Roaming). This action may prevent the Telegram client from automatically fetching and processing the malicious animated sticker, potentially stopping the exploit chain before it starts. While this is not a foolproof solution—as a user might still manually tap to download the media—it removes the 'zero-click' aspect and reintroduces a layer of user interaction, significantly reducing the risk of a silent, automated compromise. This is a crucial interim step for all users.
While not a direct fix for the Telegram flaw, underlying operating system protections like Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) are critical in making exploitation of such vulnerabilities more difficult. These are standard features in modern Android and Linux distributions. They work by marking certain areas of memory as non-executable (DEP) and randomizing the memory addresses where code is loaded (ASLR). This makes it harder for an attacker to reliably jump to and execute their malicious shellcode after triggering a memory corruption bug. While advanced exploits can sometimes bypass these protections, they raise the bar for the attacker and can cause exploit attempts to fail and simply crash the application, which may alert the user to a problem. Users should ensure their device's operating system is fully up-to-date to benefit from the latest platform-level security enhancements.
Sources & References
Article Author
Jason Gomes
• Cybersecurity PractitionerCybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Tags
📢 Share This Article
Help others stay informed about cybersecurity threats