Telegram Info English
@tginfoen
ZDI Registered a Critical Vulnerability in Telegram — Don't Panic
On March 26, an entry ZDI-CAN-30207 concerning Telegram appeared in the database of the Zero Day Initiative — the largest independent vulnerability hunting program. The vulnerability was discovered by researcher Michael DePlante from Trend Micro.
Details are classified: according to ZDI regulations, the specifics will be disclosed either as soon as the messenger fixes the issue, or on July 24, 2026, if it does not.
The popular theory about animated stickers is speculation and rumor, not facts known from this entry. All other "details" being spread by media and channels are either conjecture or descriptions of already fixed old vulnerabilities. There is no need to panic.
What to do:
• Update Telegram immediately when new versions are released.
• Use the official Telegram app to receive the update with the fix on the very first day.
• No other specific protective measures can be taken — the nature of the vulnerability is unknown.
Telegram's Reaction
The messenger's press service stated to Durov's Code that the vulnerability does not exist. Their argument: all stickers are checked by servers, therefore "the existence of such an exploit is impossible".
The @tginfo editors find this reaction strange. For some reason, Telegram commented specifically on the speculations about stickers, even though the attack vector has not been disclosed and might have nothing to do with them. It is unclear why the messenger chose to refute rumors instead of simply confirming their work on the ZDI report.
The assertion itself that the exploit does not exist due to server-side verification is technically flawed: server validation is merely one of the protection layers, which itself can contain errors and may not cover all possible scenarios. Moreover, stickers that cause the Android app to crash still exist today, which already calls into question the comprehensiveness of the claimed check.
The messenger's response to Durov's Code is a declaration, not an argument. It will only be possible to confirm or deny the existence of the problem after the details are published or a patch is released.
What Open Data Says
From the ZDI entry, the preliminary severity score — 9.8 out of 10 — and the attack vector parameters are known. If the assessment is correct, the vulnerability can be exploited remotely over the network, requires no user interaction and no system privileges, and potentially allows an attacker to gain full access to the user's data.
These are serious parameters, however, the preliminary score is set by the researcher and may be adjusted.
Context
It is not the first time Telegram has faced critical vulnerabilities. In 2020, Shielder researchers discovered 13 vulnerabilities in the rlottie library for animated stickers, including out-of-bounds write errors that allowed for remote memory corruption on the device. Telegram fixed the specific bugs but did not change the processing architecture. Potentially, animated stickers remain a broad attack surface, so it cannot be ruled out that the new vulnerability exploits them specifically.
In 2024, a flaw was discovered in Telegram Desktop that allowed programs to be disguised as videos, making it easier to convince a victim to click and launch them. In 2025, a similar EvilLoader vulnerability was found on Android. At the same time, the Russian vulnerability broker Operation Zero offered up to $4 million for zero-click exploits in Telegram, while a representative of the messenger told Forbes that "Telegram has never been vulnerable to zero-click exploits."
Practice shows that Telegram prefers to patch specific holes without addressing systemic security problems, and such rhetoric about the "absolute impossibility" of exploits does not inspire confidence considering this story.
On March 26, an entry ZDI-CAN-30207 concerning Telegram appeared in the database of the Zero Day Initiative — the largest independent vulnerability hunting program. The vulnerability was discovered by researcher Michael DePlante from Trend Micro.
Details are classified: according to ZDI regulations, the specifics will be disclosed either as soon as the messenger fixes the issue, or on July 24, 2026, if it does not.
There is no information about the vulnerability being exploited "in the wild" by actual hackers. Right now, no one except the researcher and Telegram developers knows what the vulnerability entails.
The popular theory about animated stickers is speculation and rumor, not facts known from this entry. All other "details" being spread by media and channels are either conjecture or descriptions of already fixed old vulnerabilities. There is no need to panic.
What to do:
• Update Telegram immediately when new versions are released.
• Use the official Telegram app to receive the update with the fix on the very first day.
• No other specific protective measures can be taken — the nature of the vulnerability is unknown.
Telegram's Reaction
The messenger's press service stated to Durov's Code that the vulnerability does not exist. Their argument: all stickers are checked by servers, therefore "the existence of such an exploit is impossible".
The @tginfo editors find this reaction strange. For some reason, Telegram commented specifically on the speculations about stickers, even though the attack vector has not been disclosed and might have nothing to do with them. It is unclear why the messenger chose to refute rumors instead of simply confirming their work on the ZDI report.
The assertion itself that the exploit does not exist due to server-side verification is technically flawed: server validation is merely one of the protection layers, which itself can contain errors and may not cover all possible scenarios. Moreover, stickers that cause the Android app to crash still exist today, which already calls into question the comprehensiveness of the claimed check.
The messenger's response to Durov's Code is a declaration, not an argument. It will only be possible to confirm or deny the existence of the problem after the details are published or a patch is released.
What Open Data Says
From the ZDI entry, the preliminary severity score — 9.8 out of 10 — and the attack vector parameters are known. If the assessment is correct, the vulnerability can be exploited remotely over the network, requires no user interaction and no system privileges, and potentially allows an attacker to gain full access to the user's data.
These are serious parameters, however, the preliminary score is set by the researcher and may be adjusted.
Context
It is not the first time Telegram has faced critical vulnerabilities. In 2020, Shielder researchers discovered 13 vulnerabilities in the rlottie library for animated stickers, including out-of-bounds write errors that allowed for remote memory corruption on the device. Telegram fixed the specific bugs but did not change the processing architecture. Potentially, animated stickers remain a broad attack surface, so it cannot be ruled out that the new vulnerability exploits them specifically.
In 2024, a flaw was discovered in Telegram Desktop that allowed programs to be disguised as videos, making it easier to convince a victim to click and launch them. In 2025, a similar EvilLoader vulnerability was found on Android. At the same time, the Russian vulnerability broker Operation Zero offered up to $4 million for zero-click exploits in Telegram, while a representative of the messenger told Forbes that "Telegram has never been vulnerable to zero-click exploits."
Practice shows that Telegram prefers to patch specific holes without addressing systemic security problems, and such rhetoric about the "absolute impossibility" of exploits does not inspire confidence considering this story.
🤡 42
👍 25
❤ 10
56 121 8.7K
Обсуждение 56
Обсуждение не доступно в веб-версии. Чтобы написать комментарий, перейдите в приложение Telegram.
Обсудить в Telegram