CVE-2019-11927

Vulnerability

An integer overflow vulnerability exists in the media parsing libraries of WhatsApp for Android and iOS when processing EXIF tags in WEBP images. This flaw allows a remote attacker to trigger an out-of-bounds write on the heap. Affected versions are WhatsApp for Android before version 2.19.143 and WhatsApp for iOS before version 2.19.100. [1]

Exploitation

An attacker can exploit this vulnerability by sending a specially-crafted WEBP image containing malicious EXIF tags to a victim via WhatsApp. No authentication is required beyond the victim receiving the message. The integer overflow occurs during parsing, leading to a heap buffer overflow that the attacker can control to achieve arbitrary code execution.

Impact

Successful exploitation enables a remote attacker to execute arbitrary code on the victim's device with the privileges of the WhatsApp application. This could result in full compromise of the messaging app and potentially the entire device, including access to sensitive data.

Mitigation

WhatsApp has released fixed versions: Android 2.19.143 and iOS 2.19.100. Users should update to these versions or later to mitigate the vulnerability. No workaround is available. [1]