Telegram Disputes Critical Zero-Click Sticker RCE Claim

Trend Micro's Zero Day Initiative and Telegram are publicly disagreeing about whether a critical vulnerability exists in the messaging platform. ZDI says animated stickers can trigger zero-click remote code execution on Android and Linux devices. Telegram says the flaw is fabricated.

The dispute leaves users in an awkward position: either a CVSS 9.8 vulnerability exists with no patch coming until July, or a respected vulnerability research organization published a false advisory. Neither scenario inspires confidence.

The Alleged Vulnerability

ZDI-CAN-30207 targets Telegram's automatic media processing system. According to researcher Michael DePlante of TrendAI Zero Day, malicious animated stickers can trigger remote code execution when Telegram generates preview images—without any user interaction.

The attack scenario:

1. Attacker sends a crafted animated sticker to target
2. Telegram automatically processes the sticker to generate preview
3. Processing triggers memory corruption or code execution
4. Attacker gains full device control

Zero-click vulnerabilities represent the most dangerous class of mobile threats. Users don't need to tap anything, open anything, or even look at their phone. Simply receiving a message triggers exploitation. We've covered similar zero-click techniques used in nation-state spyware campaigns targeting journalists and activists.

Telegram's Position

Telegram categorically denies the vulnerability exists. The company's official statement argues that server-side validation makes exploitation impossible:

"Every sticker uploaded to the platform undergoes mandatory validation on its servers before being distributed to client applications."

According to Telegram, their infrastructure strips or rejects malicious payloads before they reach end users. Even if a crafted sticker could theoretically trigger a bug in the client, it would never pass server-side checks.

The company hasn't provided technical details supporting this claim. Neither has ZDI published full technical details—those remain under disclosure embargo until July 24, 2026.

Severity Downgrade

The disagreement prompted ZDI to revise its assessment. On March 30, the severity score was downgraded from CVSS 9.8 to 7.0. ZDI's statement acknowledged that "server-side mitigations that Telegram described during the disclosure process" informed the revision.

That downgrade is telling. A 9.8-to-7.0 drop suggests ZDI found some merit in Telegram's server-side defense arguments—but not enough to close the advisory entirely. A CVSS 7.0 vulnerability is still significant, just not "trivially exploitable zero-click RCE" significant.

The revised score might reflect scenarios where:

• Server-side validation can be bypassed in certain conditions
• The vulnerability exists but requires additional attack prerequisites
• Exploitation is possible but less reliable than initially assessed

Without technical details from either side, users can only speculate.

Risk Assessment

For Telegram users, the practical risk is uncertain. If Telegram's server-side validation works as described, exploitation should be blocked before malicious stickers reach devices. If ZDI's initial assessment was more accurate, Android and Linux users could be targeted through crafted media.

Several factors affect your exposure:

Lower risk indicators:

• Using official Telegram apps from legitimate app stores
• Receiving stickers only from known contacts
• Not being a likely target for sophisticated attacks

Higher risk indicators:

• Using modified or third-party Telegram clients
• Participating in public groups with unknown members
• Operating in industries or regions where targeted messaging attacks occur

Users concerned about social engineering and phishing via messaging apps should maintain caution regardless of this specific vulnerability's status.

Disclosure Timeline

• March 26, 2026 — ZDI reports vulnerability to Telegram
• March 30, 2026 — ZDI publishes advisory with CVSS 9.8
• March 30, 2026 — Telegram denies vulnerability exists
• March 30, 2026 — ZDI downgrades to CVSS 7.0
• July 24, 2026 — ZDI's 120-day disclosure window expires

If no patch materializes by July 24, ZDI will presumably publish full technical details. That will settle the technical dispute one way or another—either demonstrating a working exploit or revealing that the initial assessment was flawed.

What Users Should Do

Until the situation clarifies:

1. Keep Telegram updated — Any potential patches will come through app updates
2. Review group memberships — Limit exposure to stickers from unknown sources
3. Consider disabling auto-download for media — Reduces automatic processing of received content
4. Monitor security news — Updates on this dispute will likely emerge over coming weeks

The dispute highlights a broader challenge with vulnerability disclosure. When vendors and researchers disagree publicly, users bear the uncertainty. Either a critical flaw exists unpatched, or security research credibility suffers. Neither outcome serves the security community well.