Unrated severityNVD Advisory· Published Nov 14, 2019· Updated Aug 4, 2024

CVE-2019-11931

Description

A stack-based buffer overflow could be triggered in WhatsApp by sending a specially crafted MP4 file to a WhatsApp user. The issue was present in parsing the elementary stream metadata of an MP4 file and could result in a DoS or RCE. This affects Android versions prior to 2.19.274, iOS versions prior to 2.19.100, Enterprise Client versions prior to 2.25.3, Business for Android versions prior to 2.19.104 and Business for iOS versions prior to 2.19.100.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Stack-based buffer overflow in WhatsApp MP4 parsing allows DoS or RCE via a crafted file.

Vulnerability

A stack-based buffer overflow exists in the parsing of elementary stream metadata of an MP4 file in WhatsApp. The vulnerability affects Android versions prior to 2.19.274, iOS versions prior to 2.19.100, Enterprise Client versions prior to 2.25.3, Windows Phone versions before and including 2.18.368, Business for Android versions prior to 2.19.104, and Business for iOS versions prior to 2.19.100 [1]. The flaw is triggered when a specially crafted MP4 file is processed by the application.

Exploitation

An attacker can exploit this vulnerability by sending a crafted MP4 file to a WhatsApp user. No authentication or special privileges are required beyond the ability to deliver the malicious file (e.g., via chat). The exploit does not require user interaction beyond the recipient receiving and processing the file, which may occur automatically depending on the client's media handling [1].

Impact

Successful exploitation can lead to a denial of service (DoS) or remote code execution (RCE) with the privileges of the WhatsApp process. This could allow an attacker to execute arbitrary code on the target device or crash the application, potentially leading to full compromise of the app's data and functionality [1].

Mitigation

Fix was released in the following versions: Android 2.19.274, iOS 2.19.100, Enterprise Client 2.25.3, Business for Android 2.19.104, and Business for iOS 2.19.100. Windows Phone users should upgrade to a version beyond 2.18.368 [1]. Users are advised to update their WhatsApp clients to the latest available version to mitigate the vulnerability.

References

Facebook

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Whatsapp/Whatsappllm-fuzzy
Range: Android <2.19.274, iOS <2.19.100, Enterprise Client <2.25.3, Business for Android <2.19.104, Business for iOS <2.19.100
Facebook/WhatsApp for Androidcpe-rescue2 versions
2.19.104+ 1 more
- (no CPE)range: 2.19.104
- (no CPE)range: 2.19.274
Facebook/WhatsApp Businesscpe-rescue
Range: 2.19.100
Facebook/WhatsApp Enterprise Clientv5
Range: 2.25.3
Facebook/WhatsApp for iPhonecpe-rescue2 versions
2.19.100+ 1 more
- (no CPE)range: 2.19.100
- (no CPE)range: unspecified

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.facebook.com/security/advisories/cve-2019-11931mitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000