Cyber Resilience

CVE-2022-36934

Critical

Published: 22 September 2022

Published
22 September 2022
Modified
24 September 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.1270 94.1th percentile
Risk Priority 27 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-36934 is a critical-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Whatsapp Whatsapp. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 5.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

An integer overflow vulnerability, also associated with heap-based buffer overflow issues, affects WhatsApp and can lead to remote code execution during an established video call. The flaw carries a CVSS v3.1 score of 9.8 and is tracked under CWE-122 and CWE-190. It was publicly disclosed on 22 September 2022.

An unauthenticated attacker with network access can exploit the condition without user interaction to achieve full compromise of confidentiality, integrity, and availability on the affected endpoint. The attack vector requires an active video call session, after which successful exploitation grants arbitrary code execution.

WhatsApp has published security advisories addressing the issue at https://www.whatsapp.com/security/advisories/2022/. The EPSS score reached a peak of 0.1632 and currently stands at 0.1270, indicating modest post-disclosure interest in exploitation attempts.

EU & UK References

Vulnerability details

An integer overflow in WhatsApp could result in remote code execution in an established video call.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

whatsapp
whatsapp
≤ 2.22.16.12 · ≤ 2.22.16.12
whatsapp
whatsapp business
≤ 2.22.16.12 · ≤ 2.22.16.12

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References