Unrated severityNVD Advisory· Published Jun 14, 2019· Updated Aug 5, 2024

CVE-2018-6339

Description

When receiving calls using WhatsApp on Android, a stack allocation failed to properly account for the amount of data being passed in. An off-by-one error meant that data was written beyond the allocated space on the stack. This issue affects WhatsApp for Android starting in version 2.18.180 and was fixed in version 2.18.295. It also affects WhatsApp Business for Android starting in version v2.18.103 and was fixed in version v2.18.150.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

An off-by-one stack buffer overflow in WhatsApp for Android allows writing one extra byte beyond allocated stack space when receiving calls.

Vulnerability

An off-by-one error in stack allocation during incoming call processing in WhatsApp for Android allows writing one byte beyond the allocated stack buffer. This issue affects WhatsApp for Android starting in version 2.18.180 and was fixed in version 2.18.295. It also affects WhatsApp Business for Android starting in version v2.18.103 and was fixed in version v2.18.150 [1].

Exploitation

An attacker can trigger the vulnerability by sending a specially crafted call to a vulnerable device. No authentication beyond the ability to initiate a call is required, and the attack can be performed remotely over the network. The off-by-one condition occurs during the handling of call data, likely involving a pointer or length miscalculation [1].

Impact

Successful exploitation results in a one-byte write beyond the bounds of a stack-allocated buffer. This can corrupt adjacent stack data, potentially leading to a crash (denial of service) or, in some cases, arbitrary code execution depending on the corrupted data. The attacker may achieve code execution with the privileges of the WhatsApp application [1].

Mitigation

The vulnerability is fixed in WhatsApp for Android version 2.18.295 and in WhatsApp Business for Android version v2.18.150. Users should update to these or later versions via the Google Play Store. No workaround exists for older versions [1].

References

Facebook

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Facebook/WhatsApp Businessllm-create
Range: >=v2.18.103, <v2.18.150
Whatsapp/Whatsappllm-fuzzy
Range: >=2.18.180, <2.18.295
Facebook/WhatsApp for Androidcpe-rescue2 versions
2.18.150+ 1 more
- (no CPE)range: 2.18.150
- (no CPE)range: 2.18.295

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.facebook.com/security/advisories/cve-2018-6339/mitrex_refsource_MISC

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000