There has been a lot of speculation about the Telegram vulnerability listed on ZDI's Upcoming Advisories page.
Much of the nuance of the situation is nested deep within Bluesky replies, resulting in a digital game of telephone that's spawning anxiety and downright misinformation about the vulnerability.
I wanted to consolidate what I feel are some of the most important points into a single page to help people better understand what's happening.
TL;DR: You're going to be fine. Just update as soon as a patch is available.
The facts right now
Zero Day Initiative (ZDI) indicated that a high-severity vulnerability was reported to Telegram on March 26. The vulnerability has a severity rating of 9.8 / 101, which suggests it may be a "zero-click" remote code execution (RCE) vulnerability that could allow an attacker on Telegram to take over another user's device (possibly without their interaction or knowledge).
According to ZDI, Telegram has until July 24, 20262 to resolve the vulnerability before details will be disclosed to the public. It is extremely likely that Telegram will release a patch long before then.
As of this writing, no other details about the vulnerability currently exist. Any other information you hear about the vulnerability is purely speculation, unless credibly sourced (i.e., from the researcher or Telegram themselves).
The vulnerability was reported by security researcher Michael DePlante (@izobashi) who has an extensive background in vulnerability discovery and responsible disclosure.
This sounds serious. Why aren't more details available?
This is how responsible disclosure works. If a security researcher finds a vulnerability, they will typically try to coordinate with the vendor to give them sufficient time to fix the problem and release an update.
Further details at this point could provide valuable information to threat actors, who could then potentially discover the vulnerability and exploit it before an update is available.
Is this really a zero-click RCE?
This is not known for certain at this time. However, the vulnerability's Common Vulnerability Scoring System (CVSS) score given by the researcher suggests it may be the case.
Even when concrete details about a vulnerability are not available, its CVSS score can give general information about its risk factors and impact. A visual chart of the score's metrics is available here.
Am I at immediate risk of being hacked?
Unless you're being targeted by nation-state threat actors, it is extremely unlikely you're at immediate risk.
Here's why: Threat actors keep vulnerabilities like this close to their chest. RCEs in messaging platforms are rare and extremely valuable weapons (especially on a platform with over 1 billion monthly active users). Freely exploiting the vulnerability would quickly result in the vulnerability getting detected and patched, putting the threat actors at a disadvantage.
Realistically – anyone with the knowledge of this vulnerability is not going to burn it on you.
HOWEVER: once a vulnerability is patched, it becomes possible to see what changed between versions. It then becomes much easier to learn where the vulnerability is in unpatched versions, and potentially weaponize it. Even if the security researcher does not release more details, the update itself can provide threat actors with the information necessary to begin exploiting unpatched victims.
It is therefore crucial that you update as soon as a patch is available.
What should I do in the mean time? Should I turn off downloads?
You should look out for an update and patch as soon as it's available.
At this time, it is not known whether the vulnerability has anything to do with automatic downloads. It is possible the vulnerability affects an entirely different feature, in which case turning off automatic downloads would be ineffective.
It perhaps "doesn't hurt" to turn off whatever you want, but doing that should not be mistaken for a sense of security.
Does this affect Windows / Mac / Linux? What about iPhone / Android?
These details are not known at this time.