7.5
CVSSv2

CVE-2019-3568

Published: 14/05/2019 Updated: 16/05/2019
CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10
CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9
VMScore: 668
Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Summary

A buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of SRTCP packets sent to a target phone number. Affected Versions: The issue affects WhatsApp for Android before v2.19.134, WhatsApp Business for Android before v2.19.44, WhatsApp for iOS before v2.19.51, WhatsApp Business for iOS before v2.19.51, WhatsApp for Windows Phone before v2.18.348, and WhatsApp for Tizen before v2.18.15.

Vulnerability Trend

Affected Products

Vendor Product Versions
WhatsappWhatsapp2.2.5, 2.6.4, 2.6.5, 2.6.6, 2.6.7, 2.6.9, 2.6.10, 2.8.1, 2.8.2, 2.8.3, 2.8.4, 2.8.6, 2.8.7, 2.10.1, 2.10.2, 2.11.3, 2.11.4, 2.11.5, 2.11.6, 2.11.7, 2.11.8, 2.11.9, 2.11.11, 2.11.12, 2.11.14, 2.11.15, 2.11.16, 2.12.1, 2.12.2, 2.12.3, 2.12.4, 2.12.6, 2.12.7, 2.12.8, 2.12.9, 2.12.10, 2.12.11, 2.12.12, 2.12.13, 2.12.14, 2.12.15, 2.12.16, 2.12.17, 2.16.1, 2.16.2, 2.16.3, 2.16.4, 2.16.5, 2.16.6, 2.16.7, 2.16.8, 2.16.9, 2.16.10, 2.16.11, 2.16.12, 2.16.13, 2.16.14, 2.16.15, 2.16.16, 2.16.17, 2.16.18, 2.16.19, 2.16.20, 2.17.1, 2.17.2, 2.17.3, 2.17.4, 2.17.5, 2.17.7, 2.18.93

Recent Articles

WhatsApp Zero-Day Exploited in Targeted Spyware Attacks
Threatpost • Lindsey O'Donnell • 14 May 2019

UPDATE
WhatsApp is urging users to update as soon as possible, after a zero-day vulnerability found in its messaging platform was exploited by attackers who were able to inject spyware onto victims’ phones in targeted campaigns.
First reported by the Financial Times, the popular messaging app discovered in early May that attackers were installing surveillance software on iPhones and Android phones – by calling victims using WhatsApp’s call function. WhatsApp is owned by Faceboo...

It's 2019 and a WhatsApp call can hack a phone: Zero-day exploit infects mobes with spyware
The Register • Iain Thomson in San Francisco • 14 May 2019

Rap for surveillanceware chaps in chat app voice yap trap flap – now everyone patch

A security flaw in WhatsApp can be, and has been, exploited to inject spyware into victims' smartphones: all a snoop needs to do is make a booby-trapped voice call to a target's number, and they're in. The victim doesn't need to do a thing other than leave their phone on.
The Facebook-owned software suffers from a classic buffer overflow weakness. This means a successful hacker can hijack the application to run malicious code that pores over encrypted chats, eavesdrops on calls, turns on t...