WhatsApp quietly fixes two severe bugs

Updated on: 28 September 2022

Jurgita Lapienytė
Chief Editor

An attacker could have taken complete control of a popular messaging platform from afar by exploiting the vulnerabilities.

WhatsApp issued patches for two remote code execution (RCE) flaws. CVE-2022-36934 scored 9.8 out of 10 on the Common Vulnerability Scoring System (CVSS), and CVE-2022-27492 scored 7.8 (high severity.)

The exploitation of CVE-2022-36934 could lead to an integer overflow in WhatsApp for Android, resulting in RCE in an established video call.

Versions affected by the flaw: WhatsApp for Android prior to v2.22.16.12, Business for Android prior to v2.22.16.12, iOS prior to v2.22.16.12, Business for iOS prior to v2.22.16.12.

“This RCE bug affects a piece of code in the WhatsApp component Video Call Handler, which allows an attacker to manipulate the bug to trigger a heap-based buffer overflow and take complete control of WhatsApp Messenger,” Malware Bytes explained.

Another bug, CVE-2022-27492, affects an unspecified code block of the component Video File Handler.

“The manipulation with an unknown input leads to a memory corruption vulnerability. To exploit this vulnerability, attackers would have to drop a crafted video file on the user’s WhatsApp messenger and convince the user to play it,” Malwarebytes explained.

Affected versions: WhatsApp for Android prior to v2.22.16.2 and WhatsApp for iOS v2.22.15.9.

There’s been no evidence of these flaws being exploited in the wild.

“The vulnerabilities were found by the WhatsApp internal security team and silently fixed, so there is a good chance that your WhatsApp has already been updated. However, it never hurts to check,” Malwarebytes added.