#VU35830 Out-of-bounds read in WhatsApp Messenger for Android - CVE-2018-6350
Published: June 14, 2019 / Updated: August 8, 2020
Vulnerability identifier: #VU35830
Vulnerability risk: High
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2018-6350
CWE-ID: CWE-125
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
WhatsApp Messenger for Android
WhatsApp Messenger for Android
Software vendor:
WhatsApp
Description
The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
An out-of-bounds read was possible in WhatsApp due to incorrect parsing of RTP extension headers. This issue affects WhatsApp for Android prior to 2.18.276, WhatsApp Business for Android prior to 2.18.99, WhatsApp for iOS prior to 2.18.100.6, WhatsApp Business for iOS prior to 2.18.100.2, and WhatsApp for Windows Phone prior to 2.18.224.
Remediation
Install update from vendor's website.