CVE-2018-6349

Vulnerability

A stack-based buffer overflow exists in WhatsApp for Android and WhatsApp Business for Android when processing a sender-provided packet during call setup. The flaw stems from a missing size check in the packet parsing logic, allowing an attacker to write beyond the bounds of a stack buffer. This affects WhatsApp for Android versions prior to 2.18.248 and WhatsApp Business for Android versions prior to 2.18.132 [1].

Exploitation

An attacker can exploit this vulnerability by initiating a call to a target device and sending a specially crafted packet. No authentication or user interaction beyond answering the call is required. The attacker must be able to send network packets to the victim's device, typically over the internet via WhatsApp's infrastructure. The crafted packet triggers the overflow during parsing.

Impact

Successful exploitation allows an attacker to execute arbitrary code on the victim's device with the privileges of the WhatsApp application. This can lead to full compromise of the device, including access to messages, contacts, and other sensitive data. The vulnerability is remotely exploitable without prior access.

Mitigation

The issue is fixed in WhatsApp for Android version 2.18.248 and WhatsApp Business for Android version 2.18.132. Users should update their applications to the latest version from the Google Play Store or other official sources. No workarounds are available for unpatched versions [1].