Unrated severityNVD Advisory· Published Jun 14, 2019· Updated Aug 5, 2024

CVE-2018-6350

Description

An out-of-bounds read was possible in WhatsApp due to incorrect parsing of RTP extension headers. This issue affects WhatsApp for Android prior to 2.18.276, WhatsApp Business for Android prior to 2.18.99, WhatsApp for iOS prior to 2.18.100.6, WhatsApp Business for iOS prior to 2.18.100.2, and WhatsApp for Windows Phone prior to 2.18.224.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

WhatsApp incorrectly parses RTP extension headers, enabling an out-of-bounds read that could crash the app or disclose memory contents.

Vulnerability

An out-of-bounds read vulnerability exists in WhatsApp due to incorrect parsing of RTP extension headers during voice or video calls. The flaw affects WhatsApp for Android prior to 2.18.276, WhatsApp Business for Android prior to 2.18.99, WhatsApp for iOS prior to 2.18.100.6, WhatsApp Business for iOS prior to 2.18.100.2, and WhatsApp for Windows Phone prior to 2.18.224 [1].

Exploitation

An attacker needs the ability to send a crafted RTP audio or video packet to the target device. No authentication is required, as the parsing occurs before any session encryption is processed. By manipulating the RTP extension header fields, the attacker triggers an out-of-bounds read on the receiving client [1].

Impact

Successful exploitation can lead to a denial-of-service condition (application crash) or, potentially, exposure of memory contents to the attacker. The impact is limited to information disclosure of the affected process’s memory; there is no evidence of code execution [1].

Mitigation

WhatsApp released fixed versions in 2018: for Android 2.18.276, for Android Business 2.18.99, for iOS 2.18.100.6, for iOS Business 2.18.100.2, and for Windows Phone 2.18.224. Users must update to these or later versions to remediate the issue [1].

References

Facebook

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Whatsapp/Whatsappllm-fuzzy
Facebook/WhatsApp for Androidcpe-rescue2 versions
2.18.99+ 1 more
- (no CPE)range: 2.18.99
- (no CPE)range: 2.18.276
Facebook/WhatsApp Businesscpe-rescue
Range: 2.18.100.2
Facebook/WhatsApp for iPhonecpe-rescue2 versions
2.18.100.6+ 1 more
- (no CPE)range: 2.18.100.6
- (no CPE)range: 2.18.224

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.securityfocus.com/bid/108803mitrevdb-entryx_refsource_BID
www.facebook.com/security/advisories/cve-2018-6350/mitrex_refsource_MISC

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000