Cyber Resilience

CVE-2019-3568

CriticalCISA KEVActive ExploitationEUVD Exploited

Published: 14 May 2019

Published
14 May 2019
Modified
24 October 2025
KEV Added
19 April 2022
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.4737 97.8th percentile
Risk Priority 68 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2019-3568 is a critical-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Whatsapp Whatsapp. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 2.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

A buffer overflow vulnerability, tracked as CVE-2019-3568 and assigned CWE-122 and CWE-787, exists in the WhatsApp VOIP stack. It affects WhatsApp for Android prior to version 2.19.134, WhatsApp Business for Android prior to 2.19.44, WhatsApp for iOS prior to 2.19.51, WhatsApp Business for iOS prior to 2.19.51, WhatsApp for Windows Phone prior to 2.18.348, and WhatsApp for Tizen prior to 2.18.15. The flaw permits remote code execution when a target processes a specially crafted series of RTCP packets.

An unauthenticated remote attacker can exploit the issue by sending the malicious RTCP packets directly to a victim's phone number over the network. Successful exploitation grants the attacker the ability to execute arbitrary code on the device with no user interaction required, corresponding to the maximum CVSS 3.1 base score of 9.8.

Facebook security advisories and the CISA Known Exploited Vulnerabilities catalog recommend immediate application of the listed patched versions to address the vulnerability. The presence of the CVE in the CISA catalog indicates confirmed real-world exploitation activity.

EU & UK References

Vulnerability details

A buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of RTCP packets sent to a target phone number. The issue affects WhatsApp for Android prior to v2.19.134, WhatsApp Business for Android prior to…

more

v2.19.44, WhatsApp for iOS prior to v2.19.51, WhatsApp Business for iOS prior to v2.19.51, WhatsApp for Windows Phone prior to v2.18.348, and WhatsApp for Tizen prior to v2.18.15.

CWE(s)
KEV Date Added
19 April 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

whatsapp
whatsapp
≤ 2.18.15 · ≤ 2.18.348 · ≤ 2.19.51
whatsapp
whatsapp business
≤ 2.19.44 · ≤ 2.19.51

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires applying the vendor patches that eliminate the buffer overflow in the WhatsApp VOIP stack.

prevent

Mandates input validation on untrusted RTCP packets, which would have blocked the malformed data that triggers the overflow.

prevent

Requires memory-protection mechanisms that can prevent successful exploitation of the buffer overflow even if validation fails.

References