CVE-2019-3568

Summary

A buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of RTCP packets sent to a target phone number. The issue affects WhatsApp for Android prior to v2.19.134, WhatsApp Business for Android prior to v2.19.44, WhatsApp for iOS prior to v2.19.51, WhatsApp Business for iOS prior to v2.19.51, WhatsApp for Windows Phone prior to v2.18.348, and WhatsApp for Tizen prior to v2.18.15.

Affected Software

VendorProductVersion RangeStatus
FacebookWhatsApp for Android2.19.134affected
FacebookWhatsApp for Androidunspecified < 2.19.134affected
FacebookWhatsApp Business for Android2.19.44affected
FacebookWhatsApp Business for Androidunspecified < 2.19.134affected
FacebookWhatsApp for iOS2.19.51affected
FacebookWhatsApp for iOSunspecified < 2.19.51affected
FacebookWhatsApp Business for iOS2.19.51affected
FacebookWhatsApp Business for iOSunspecified < 2.19.51affected
FacebookWhatsApp for Windows Phone2.18.348affected
FacebookWhatsApp for Windows Phoneunspecified < 2.18.348affected
FacebookWhatsApp for Tizen2.18.15affected
FacebookWhatsApp for Tizenunspecified < 2.18.15affected

Weaknesses

  • CWE-122: Heap-based Buffer Overflow (CWE-122)

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: active
    • Automatable: yes
    • Technical Impact: total

Additional References

References