The security researchers at exploit.org claimed they've found an RCE in Telegram Desktop's latest version (seems 4.16.1 at least), and updated a demonstration video targeting Windows build. Someone in the comment claimed they could not trigger the PoC in 4.16.4.

Currently 23.11 and unstable branch has 4.16.1, and master was updated to 4.16.4 yesterday.

Original message:

SECURITY ALERT ⚠️

Possible RCE was detected in Telegram's media processing in Telegram Desktop application.
This issue expose users to malicious attacks through specially crafted media files, such as images or videos.

For security reasons disable auto-download feature. Please follow these steps:
1. Go to Settings.
2. Tap on "Advanced".
3. Under the "Automatic Media Download" section, disable auto-download for "Photos", "Videos", and "Files" across all chat types (Private chats, groups, and channels).

We are currently investigating this vulnerability.

Link: https://t.me/exploitorg/30

Edit: telegram official said they could not find the vulnerability and the demonstration video is likely staged. https://twitter.com/telegram/status/1777677055837995151

Edit again: RCE confirmed but not zero-click. The user have to click a file that appear to be video files. Affected versions are 4.16.0 to 4.16.6.

huh, nobody was faster?

fine, on it.

https://chromereleases.googleblog.com/2024/04/stable-channel-update-for-desktop_10.html

cc emily