An attacker could have taken complete control of a popular messaging platform from afar by exploiting the vulnerabilities.
WhatsApp issued patches for two remote code execution (RCE) flaws. CVE-2022-36934 scored 9.8 out of 10 on the Common Vulnerability Scoring System (CVSS), and CVE-2022-27492 scored 7.8 (high severity.)
The exploitation of CVE-2022-36934 could lead to an integer overflow in WhatsApp for Android, resulting in RCE in an established video call.
Versions affected by the flaw: WhatsApp for Android prior to v22.214.171.124, Business for Android prior to v126.96.36.199, iOS prior to v188.8.131.52, Business for iOS prior to v184.108.40.206.
“This RCE bug affects a piece of code in the WhatsApp component Video Call Handler, which allows an attacker to manipulate the bug to trigger a heap-based buffer overflow and take complete control of WhatsApp Messenger,” Malware Bytes explained.
Another bug, CVE-2022-27492, affects an unspecified code block of the component Video File Handler.
“The manipulation with an unknown input leads to a memory corruption vulnerability. To exploit this vulnerability, attackers would have to drop a crafted video file on the user’s WhatsApp messenger and convince the user to play it,” Malwarebytes explained.
Affected versions: WhatsApp for Android prior to v220.127.116.11 and WhatsApp for iOS v18.104.22.168.
There’s been no evidence of these flaws being exploited in the wild.
“The vulnerabilities were found by the WhatsApp internal security team and silently fixed, so there is a good chance that your WhatsApp has already been updated. However, it never hurts to check,” Malwarebytes added.
More from Cybernews:
Subscribe to our newsletter