CVE-2026-7701— Telegram Desktop 安全漏洞

Telegram Desktop Bot API url_auth_box.cpp RequestButton null pointer dereference

A security vulnerability has been detected in Telegram Desktop up to 6.7.5. This vulnerability affects the function RequestButton of the file Telegram/SourceFiles/boxes/url_auth_box.cpp of the component Bot API. The manipulation of the argument login_url leads to null pointer dereference. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. There is ongoing doubt regarding the real existence of this vulnerability. Upgrading to version 6.7.6 is able to resolve this issue. Upgrading the affected component is recommended. The vendor provides this rationale for the dispute: "[T]he described scenario does not lead to any security issue or vulnerability, and only causes a one-time crash. In the outlined scenario, the targeted user must perform an active action, which doesn't produce any consequences after the app is relaunched."

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

空指针解引用

Telegram Desktop 安全漏洞

Telegram Desktop是Telegram开源的一款即时通信移动应用程序的桌面版。 Telegram Desktop 6.7.5及之前版本存在安全漏洞，该漏洞源于组件Bot API中文件Telegram/SourceFiles/boxes/url_auth_box.cpp的函数RequestButton对参数login_url的操作，可能导致空指针取消引用。

N/A

N/A