All it takes is receiving a sticker on Telegram. The device is already compromised, the user hasn't done anything.
That's the mechanism described by Michael DePlante, a researcher at Trend Micro's Zero Day Initiative known as @izobashi, who reported the vulnerability tracked as ZDI-CAN-30207 to Telegram on March 26. There is currently no patch.
How it works
The problem lies in how animated stickers are parsed. When a file of this type arrives in a chat, the client automatically processes it to generate a preview, before the user has even touched anything. A specially crafted file can exploit this step to execute arbitrary code.
Telegram for Android and Telegram Desktop for Linux are affected. Windows and iOS don't appear to be involved, at least based on what has been published so far.
The potential consequences are as bad as it gets: full access to the device, messages, contacts, open sessions. All of this without the user noticing.
CVSS 9.8 or 7.0?
Media outlets reported a CVSS score of 9.8, with vector AV:N/AC:L/PR:N/UI:N: network attack, no complexity, no privileges required, no user interaction needed. An absolute worst-case scenario.
The ZDI Upcoming Advisories portal, however, lists a CVSS of 7.0 with vector AV:L/AC:H/UI:R: local vector, high complexity, user interaction required. A completely different scenario, implying much more specific conditions to exploit the vulnerability.
It's unclear where the 9.8 figure circulating everywhere came from. Technical details remain embargoed until July 24, 2026, when ZDI is required to make full disclosure after the standard 120 days. Anyone claiming to know exactly how the exploit is structured is speculating.
Telegram denies it
On March 30 the company responded on its X account:
"This flaw does not exist. This researcher falsely claims that a corrupted Telegram sticker could be used as an attack vector, which completely disregards that all stickers uploaded to Telegram are validated by its servers before they can be played by Telegram apps."
The claim is that all stickers go through server-side validation before reaching clients. A corrupted file would supposedly be filtered out there, before ever reaching the app. If that's actually how it works, the attack would be impossible under the service's normal operation.
ZDI has not withdrawn the advisory.
Italy's CSIRT isn't convinced by the denial
On the same day, Italy's National Cybersecurity Agency issued alert AL01/260328/CSIRT-ITA, high severity. The CSIRT evidently didn't find Telegram's response convincing enough to skip issuing a warning.
One point in the alert is worth highlighting: disabling automatic media download doesn't protect you. The vulnerability triggers during parsing, not during download. Anyone who already has that setting enabled and thinks they're safe is probably wrong.
What to do
There's no clean mitigation until a patch arrives. The available options all come with a cost.
Switching to Telegram Web on an up-to-date browser is the most sensible path: browser sandboxing isolates parsing from the rest of the system in a way the native app can't. It's not a definitive fix, but it concretely lowers the risk.
Those using Telegram in a business context can restrict message receipt to verified contacts only, reducing the attack surface. This requires Telegram Premium and cuts out part of normal communications.
Uninstalling the app eliminates the problem at the root, but is hardly compatible with daily use for most people.
Is an exploit already circulating?
According to some sources, Positive Technologies and Kaspersky have stated that a working exploit is already circulating in private environments. Nothing public has been released and there are no available IoCs, so checking whether a system has already been hit is practically impossible.
It's worth keeping in mind that this kind of statement often comes from companies that sell threat intelligence products. That doesn't mean it's false, but it should be taken in context.
If the attack really is remote and interaction-free as described in media coverage, we're talking about one of the most serious vulnerabilities ever found on a platform with a billion active users. But the gap between the media's CVSS 9.8 and ZDI's own 7.0 is too large to ignore, and the real technical details aren't out yet.
We'll know on July 24. In the meantime, Telegram Web is the only choice that makes sense.
Timeline
- March 26, 2026: ZDI reports the vulnerability to Telegram
- March 28, 2026: the story starts circulating in international media
- March 30, 2026: Telegram denies it; ACN issues alert AL01/260328/CSIRT-ITA
- July 24, 2026: ZDI's public disclosure deadline
Sources: Trend Micro Zero Day Initiative (ZDI-CAN-30207), ACN/CSIRT-ITA alert AL01/260328/CSIRT-ITA, SecurityOnline, CyberNews, CyberInsider