|CERT-In Vulnerability Note
Buffer Overflow Vulnerability in WhatsApp
Original Issue Date:November 16, 2019
Severity Rating: HIGH
- WhatsApp for Android prior to 2.19.274
- WhatsApp for iOS prior to 2.19.100
- WhatsApp Enterprise Client prior to 2.25.3
- WhatsApp for Windows Phone prior to 2.18.368
- WhatsApp Business for Android prior to 2.19.104
- WhatsApp Business for iOS prior to 2.19.100
A vulnerability has been reported in WhatsApp which could be exploited by a remote attacker to execute arbitrary code on the target system.
A stack-based buffer overflow vulnerability exists in WhatsApp due to improper parsing of elementary stream metadata of an MP4 file. A remote attacker could exploit this vulnerability by sending a specially crafted MP4 file to the target system. This could trigger a buffer overflow condition leading to execution of arbitrary code by the attacker.The exploitation does not require any form of authentication from the victim end and executes on downloading of malicious crafted mp4 file on victim's system.
Successful exploitation of this vulnerability could allow the remote attacker to cause Remote Code Execution (RCE) or Denial of Service (DoS) condition, which could lead to further compromise of the system.
- Upgrade to latest version of WhatsApp
The information provided herein is on "as is" basis, without warranty of any kind.
Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
6, CGO Complex, Lodhi Road,
New Delhi - 110 003