CVE-2019-3568
Published: 14 May 2019
Summary
CVE-2019-3568 is a critical-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Whatsapp Whatsapp. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 2.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
A buffer overflow vulnerability, tracked as CVE-2019-3568 and assigned CWE-122 and CWE-787, exists in the WhatsApp VOIP stack. It affects WhatsApp for Android prior to version 2.19.134, WhatsApp Business for Android prior to 2.19.44, WhatsApp for iOS prior to 2.19.51, WhatsApp Business for iOS prior to 2.19.51, WhatsApp for Windows Phone prior to 2.18.348, and WhatsApp for Tizen prior to 2.18.15. The flaw permits remote code execution when a target processes a specially crafted series of RTCP packets.
An unauthenticated remote attacker can exploit the issue by sending the malicious RTCP packets directly to a victim's phone number over the network. Successful exploitation grants the attacker the ability to execute arbitrary code on the device with no user interaction required, corresponding to the maximum CVSS 3.1 base score of 9.8.
Facebook security advisories and the CISA Known Exploited Vulnerabilities catalog recommend immediate application of the listed patched versions to address the vulnerability. The presence of the CVE in the CISA catalog indicates confirmed real-world exploitation activity.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2019-13204
Vulnerability details
A buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of RTCP packets sent to a target phone number. The issue affects WhatsApp for Android prior to v2.19.134, WhatsApp Business for Android prior to…
more
v2.19.44, WhatsApp for iOS prior to v2.19.51, WhatsApp Business for iOS prior to v2.19.51, WhatsApp for Windows Phone prior to v2.18.348, and WhatsApp for Tizen prior to v2.18.15.
- CWE(s)
- KEV Date Added
- 19 April 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires applying the vendor patches that eliminate the buffer overflow in the WhatsApp VOIP stack.
Mandates input validation on untrusted RTCP packets, which would have blocked the malformed data that triggers the overflow.
Requires memory-protection mechanisms that can prevent successful exploitation of the buffer overflow even if validation fails.