Vulnerability identifier: #VU35829

Vulnerability risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-6339

CWE-ID: CWE-119

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
WhatsApp Messenger for Android
Mobile applications / Apps for mobile phones

Vendor: WhatsApp

Description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

When receiving calls using WhatsApp on Android, a stack allocation failed to properly account for the amount of data being passed in. An off-by-one error meant that data was written beyond the allocated space on the stack. This issue affects WhatsApp for Android starting in version 2.18.180 and was fixed in version 2.18.295. It also affects WhatsApp Business for Android starting in version v2.18.103 and was fixed in version v2.18.150.

Mitigation
Install update from vendor's website.

Vulnerable software versions

WhatsApp Messenger for Android: 2.18.180 - 2.18.294

---

External links
http://www.facebook.com/security/advisories/cve-2018-6339/

---

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.