Buffer overflow in WhatsApp Messenger for Android
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2018-6339 |
| CWE-ID | CWE-119 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
WhatsApp Messenger for Android Mobile applications / Apps for mobile phones |
| Vendor |
Security Bulletin
This security bulletin contains one high risk vulnerability.
1) Buffer overflow
EUVDB-ID: #VU35829
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2018-6339
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
When receiving calls using WhatsApp on Android, a stack allocation failed to properly account for the amount of data being passed in. An off-by-one error meant that data was written beyond the allocated space on the stack. This issue affects WhatsApp for Android starting in version 2.18.180 and was fixed in version 2.18.295. It also affects WhatsApp Business for Android starting in version v2.18.103 and was fixed in version v2.18.150.
MitigationInstall update from vendor's website.
Vulnerable software versionsWhatsApp Messenger for Android: 2.18.180 - 2.18.294
CPE2.3- cpe:2.3:a:whatsapp:whatsapp:2.18.180:*:*:*:*:*:*:*
- cpe:2.3:a:whatsapp:whatsapp:2.18.182:*:*:*:*:*:*:*
- cpe:2.3:a:whatsapp:whatsapp:2.18.183:*:*:*:*:*:*:*
https://www.facebook.com/security/advisories/cve-2018-6339/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to perform certain actions on the device.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
