Out-of-bounds read in WhatsApp Messenger for Android - CVE-2018-6350
Published: June 14, 2019 / Updated: August 8, 2020
Vulnerability identifier: #VU35830
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2018-6350
CWE-ID: CWE-125
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: WhatsApp
Affected software:
WhatsApp Messenger for Android
WhatsApp Messenger for Android
Detailed vulnerability description
The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
An out-of-bounds read was possible in WhatsApp due to incorrect parsing of RTP extension headers. This issue affects WhatsApp for Android prior to 2.18.276, WhatsApp Business for Android prior to 2.18.99, WhatsApp for iOS prior to 2.18.100.6, WhatsApp Business for iOS prior to 2.18.100.2, and WhatsApp for Windows Phone prior to 2.18.224.
How to mitigate CVE-2018-6350
Install update from vendor's website.