WhatsApp in its latest advisory informs of two remote code execution critical vulnerabilities that could user data of those using older app versions at risk. The chat company has patched the “critical” security vulnerability that could allow malicious minds to remotely install malware on a victim’s smartphone via a crafted video file.
WhatsApp identifies one of the flaws as CVE-2022-36934 describing it as an integer overflow issue that affects WhatsApp for Android prior to 220.127.116.11, Business for Android prior to 18.104.22.168, iOS prior to 22.214.171.124, and Business for iOS prior to 126.96.36.199. WhatsApp says that this bug could “result in remote code execution in an established video call.”
The second flaw, tracked as CVE-2022-27492, is an integer underflow that can be used by hackers to plant a remote code in victim’s phone by sending a specially designed video file to them. WhatsApp has fixed these vulnerabilities for both Android and iOS by releasing the 188.8.131.52 and 184.108.40.206 app versions, respectively. NVD rates this as higher severity with 7.8 score.
WhatsApp has published three advisories this year by now. The first was released in January followed by second in February. In its January update, the chat app revealed of a software vulnerability for WhatsApp for Android prior to v2.21.23, WhatsApp Business for Android prior to v2.21.23, WhatsApp for iOS prior to v2.21.230, WhatsApp Business for iOS prior to v2.21.230, WhatsApp for KaiOS prior to v2.2143, and WhatsApp Desktop prior to v2.2146 if a user makes a 1:1 call to a malicious actor. The NVD base score for this vulnerability is 9.8 critical.
The February advisory informs about “missing bound check in RTCP flag parsing code prior to WhatsApp for Android v220.127.116.11, WhatsApp Business for Android v18.104.22.168, WhatsApp for iOS v22.214.171.124, WhatsApp Business for iOS 126.96.36.199, and WhatsApp Desktop v2.2145.0 could have allowed an out-of-bounds heap read if a user sent a malformed RTCP packet during an established call.”