Skip to main content Skip to docs navigation
There's a newer version of Bootstrap!

Crush Bug Telegram [verified]

On some devices, even seeing the notification can trigger a crash.

The attack typically involves sending a series of specially crafted messages to the targeted user, which can cause the app to consume excessive resources or crash. This can be done via the Telegram network or through other means, such as via a web browser or another app.

This write-up describes a hypothetical or recently discovered "crush bug" (a type of denial-of-service or application-hang bug) affecting Telegram clients. This is intended for educational purposes, bug bounty reporting, or security research documentation. crush bug telegram

While Telegram has stated the feature "doesn’t need to be fixed" and has argued that functionality is not a security issue, other analysts note that geolocation data is often shared with greater precision than users realize, and that "legacy users may have 'never turned on yet already authorized,' while new users can easily be passively activated during the onboarding flow."

While mostly used by pranksters to annoy friends, the crush bug can have more disruptive consequences: On some devices, even seeing the notification can

Telegram developers frequently release patches for bugs. Ensure you are using the latest version from the Google Play Store or Apple App Store.

The company asserted that such an attack vector via stickers is not possible, stating that all stickers uploaded to Telegram are validated by its servers before they can be played by Telegram apps. Telegram has repeatedly claimed that the central filtering process prevents the use of malicious stickers. Ensure you are using the latest version from

In the world of cybersecurity, vulnerabilities and bugs are an unfortunate reality. One such bug that has gained significant attention in recent times is the "Crush Bug Telegram" or more formally known as the " Crush Bug" or " FragmentSmashing" vulnerability. This blog post aims to provide an in-depth look at this infamous vulnerability, its impact, and what you can do to protect yourself.

To summarize:

During periods of active vulnerabilities (such as the zero-click sticker exploit), consider using Telegram Web in an updated browser as an alternative to the desktop or mobile app. The web version operates within the browser's security sandbox, providing an additional layer of protection.

Go to Settings > Privacy and Security . Set "Groups & Channels" to My Contacts only.