CVE-2022-36934
Published: 22 September 2022
Summary
CVE-2022-36934 is a critical-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Whatsapp Whatsapp. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 5.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
An integer overflow vulnerability, also associated with heap-based buffer overflow issues, affects WhatsApp and can lead to remote code execution during an established video call. The flaw carries a CVSS v3.1 score of 9.8 and is tracked under CWE-122 and CWE-190. It was publicly disclosed on 22 September 2022.
An unauthenticated attacker with network access can exploit the condition without user interaction to achieve full compromise of confidentiality, integrity, and availability on the affected endpoint. The attack vector requires an active video call session, after which successful exploitation grants arbitrary code execution.
WhatsApp has published security advisories addressing the issue at https://www.whatsapp.com/security/advisories/2022/. The EPSS score reached a peak of 0.1632 and currently stands at 0.1270, indicating modest post-disclosure interest in exploitation attempts.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-39592
Vulnerability details
An integer overflow in WhatsApp could result in remote code execution in an established video call.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.