WhatsApp has announced the discovery of a critical vulnerability which, fortunately, has been fixed in the most recent version of the application. Still, it could compromise the security of users who have not updated to the latest version on Android and iOS.
In the changelog of the update launched on September 23, a bug was discovered that can allow an attacker to exploit all the overflow to allow them to execute malicious code on the victim’s smartphone after launching an ad hoc call specially prepared to exploit it.
Simply put, it can let an attacker exploit the flaw to obtain remote code execution in an established video call to manipulate the bug to trigger a heap-based buffer overflow and take complete control of WhatsApp Messenger.
Remote code execution vulnerabilities are a critical stage in the installation of malware, spyware, or other malicious software on a target system because they provide attackers with an advantage that allows them to further compromise the system via methods such as privilege escalation attacks.
The vulnerability has been tagged as CVE-2022-36934, having a severity score of 9.8/10 on the National Vulnerability DatabaseCVE scale, which is the highest score.
The WhatsApp versions that are affected by the bug:
- WhatsApp for Android older than v184.108.40.206
- WhatsApp Business for Android before v220.127.116.11
- WhatsApp for iOS before v18.104.22.168
- WhatsApp Business for iOS before v22.214.171.124
Thats why, it is recommended that all users download the latest update to protect against possible issues. However, it is unclear how the Whatsapp video call can be used to exploit this bug.