CVE-2019-11932
Description
A double free vulnerability in the DDGifSlurp function in decoding.c in the android-gif-drawable library before version 1.2.18, as used in WhatsApp for Android before version 2.19.244 and many other Android applications, allows remote attackers to execute arbitrary code or cause a denial of service when the library is used to parse a specially crafted GIF image.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A double-free vulnerability in the android-gif-drawable library (CVE-2019-11932) allowed remote attackers to execute arbitrary code on WhatsApp for Android via a crafted GIF when the user opened the gallery view.
Vulnerability
Analysis
CVE-2019-11932 is a double-free vulnerability residing in the DDGifSlurp function of the decoding.c file within the android-gif-drawable library, versions prior to 1.2.18 [2]. The library is widely used by Android applications, including WhatsApp, to parse and render GIF images [1]. The root cause is a programming error where memory is freed twice during the parsing of a specially crafted GIF file, leading to memory corruption [2].
Attack
Vector and Prerequisites
The attack is remotely exploitable by sending a malicious GIF file to a WhatsApp user, for example, via a document [2]. If the sender is in the victim's contact list, the GIF can be downloaded automatically without user interaction [2]. The critical trigger occurs when the victim attempts to send a media file—upon opening the WhatsApp Gallery to select a photo or video, the application automatically generates a preview of all stored media, including the malicious GIF [2]. This action invokes the vulnerable parsing code without requiring any further user input, meaning the user does not need to send or tap the GIF itself [2].
Impact
Successful exploitation of the double-free condition allows a remote attacker to achieve arbitrary code execution (RCE) on the victim's device [1][2]. The attacker can also cause a denial of service [1]. Given that WhatsApp had over one billion installs at the time, and many other high-install Android apps integrated the affected library [1], the vulnerability posed a significant risk for widespread exploitation.
Mitigation
Facebook (now Meta) patched this vulnerability in WhatsApp version 2.19.244 [2]. The underlying android-gif-drawable library was fixed in version 1.2.18 [1]. Users were advised to update WhatsApp immediately to protect against remote code execution attacks [2]. The vulnerability is known to be exploitable, and proof-of-concept exploits have been published [2][4].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
pl.droidsonroids.gif:android-gif-drawableMaven | < 1.2.18 | 1.2.18 |
Affected products
4- Range: <1.2.18
- koral--/android-gif-drawablev5Range: unspecified
Patches
1cc5b4f8e4346Do not realloc array if new raster size is 0.
1 file changed · +8 −2
android-gif-drawable/src/main/c/decoding.c+8 −2 modified@@ -56,9 +56,15 @@ void DDGifSlurp(GifInfo *info, bool decode, bool exitAfterFrame) { } if (decode) { - int_fast32_t widthOverflow = gifFilePtr->Image.Width - info->originalWidth; - int_fast32_t heightOverflow = gifFilePtr->Image.Height - info->originalHeight; const uint_fast32_t newRasterSize = gifFilePtr->Image.Width * gifFilePtr->Image.Height; + if (newRasterSize == 0) { + free(info->rasterBits); + info->rasterBits = NULL; + info->rasterSize = newRasterSize; + return; + } + const int_fast32_t widthOverflow = gifFilePtr->Image.Width - info->originalWidth; + const int_fast32_t heightOverflow = gifFilePtr->Image.Height - info->originalHeight; if (newRasterSize > info->rasterSize || widthOverflow > 0 || heightOverflow > 0) { void *tmpRasterBits = reallocarray(info->rasterBits, newRasterSize, sizeof(GifPixelType)); if (tmpRasterBits == NULL) {
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
12- github.com/advisories/GHSA-x534-j49x-mqvjghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-11932ghsaADVISORY
- packetstormsecurity.com/files/154867/Whatsapp-2.19.216-Remote-Code-Execution.htmlghsax_refsource_MISCWEB
- packetstormsecurity.com/files/158306/WhatsApp-android-gif-drawable-Double-Free.htmlghsax_refsource_MISCWEB
- seclists.org/fulldisclosure/2019/Nov/27ghsamailing-listx_refsource_FULLDISCWEB
- awakened1712.github.io/hacking/hacking-whatsapp-gif-rceghsaWEB
- awakened1712.github.io/hacking/hacking-whatsapp-gif-rce/mitrex_refsource_MISC
- gist.github.com/wdormann/874198c1bd29c7dd2157d9fc1d858263ghsax_refsource_MISCWEB
- github.com/koral--/android-gif-drawable/commit/cc5b4f8e43463995a84efd594f89a21f906c2d20ghsax_refsource_MISCWEB
- github.com/koral--/android-gif-drawable/pull/673ghsax_refsource_CONFIRMWEB
- github.com/koral--/android-gif-drawable/pull/673/commits/4944c92761e0a14f04868cbcf4f4e86fd4b7a4a9ghsax_refsource_CONFIRMWEB
- www.facebook.com/security/advisories/cve-2019-11932ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.