Vulnerability-Lookup

CVE-2019-3568 (GCVE-0-2019-3568)

Vulnerability from cvelistv5 – Published: 2019-05-14 19:52 – Updated: 2025-10-21 23:45

Summary

A buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of RTCP packets sent to a target phone number. The issue affects WhatsApp for Android prior to v2.19.134, WhatsApp Business for Android prior to v2.19.44, WhatsApp for iOS prior to v2.19.51, WhatsApp Business for iOS prior to v2.19.51, WhatsApp for Windows Phone prior to v2.18.348, and WhatsApp for Tizen prior to v2.18.15.

Severity ?

9.8 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-122 - Heap-based Buffer Overflow (CWE-122)

Assigner

facebook

References

URL

Tags

	https://www.facebook.com/security/advisories/cve-…	x_refsource_MISC
	http://www.securityfocus.com/bid/108329	vdb-entryx_refsource_BID

Impacted products

Vendor

Product

Version

Facebook

WhatsApp for Android

Affected: 2.19.134
Affected: unspecified , < 2.19.134 (custom)

Facebook	WhatsApp Business for Android	Affected: 2.19.44 Affected: unspecified , < 2.19.134 (custom)
Facebook	WhatsApp for iOS	Affected: 2.19.51 Affected: unspecified , < 2.19.51 (custom)
Facebook	WhatsApp Business for iOS	Affected: 2.19.51 Affected: unspecified , < 2.19.51 (custom)
Facebook	WhatsApp for Windows Phone	Affected: 2.18.348 Affected: unspecified , < 2.18.348 (custom)
Facebook	WhatsApp for Tizen	Affected: 2.18.15 Affected: unspecified , < 2.18.15 (custom)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T19:12:09.468Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.facebook.com/security/advisories/cve-2019-3568"
          },
          {
            "name": "108329",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/108329"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 9.8,
              "baseSeverity": "CRITICAL",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2019-3568",
                "options": [
                  {
                    "Exploitation": "active"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-07T12:56:07.366286Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          },
          {
            "other": {
              "content": {
                "dateAdded": "2022-04-19",
                "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-3568"
              },
              "type": "kev"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-21T23:45:37.464Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "government-resource"
            ],
            "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-3568"
          }
        ],
        "timeline": [
          {
            "lang": "en",
            "time": "2022-04-19T00:00:00.000Z",
            "value": "CVE-2019-3568 added to CISA KEV"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "WhatsApp for Android",
          "vendor": "Facebook",
          "versions": [
            {
              "status": "affected",
              "version": "2.19.134"
            },
            {
              "lessThan": "2.19.134",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "WhatsApp Business for Android",
          "vendor": "Facebook",
          "versions": [
            {
              "status": "affected",
              "version": "2.19.44"
            },
            {
              "lessThan": "2.19.134",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "WhatsApp for iOS",
          "vendor": "Facebook",
          "versions": [
            {
              "status": "affected",
              "version": "2.19.51"
            },
            {
              "lessThan": "2.19.51",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "WhatsApp Business for iOS",
          "vendor": "Facebook",
          "versions": [
            {
              "status": "affected",
              "version": "2.19.51"
            },
            {
              "lessThan": "2.19.51",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "WhatsApp for Windows Phone",
          "vendor": "Facebook",
          "versions": [
            {
              "status": "affected",
              "version": "2.18.348"
            },
            {
              "lessThan": "2.18.348",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        },
        {
          "product": "WhatsApp for Tizen",
          "vendor": "Facebook",
          "versions": [
            {
              "status": "affected",
              "version": "2.18.15"
            },
            {
              "lessThan": "2.18.15",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "dateAssigned": "2019-05-09T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "A buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of RTCP packets sent to a target phone number. The issue affects WhatsApp for Android prior to v2.19.134, WhatsApp Business for Android prior to v2.19.44, WhatsApp for iOS prior to v2.19.51, WhatsApp Business for iOS prior to v2.19.51, WhatsApp for Windows Phone prior to v2.18.348, and WhatsApp for Tizen prior to v2.18.15."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-122",
              "description": "Heap-based Buffer Overflow (CWE-122)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2019-08-13T20:57:11.000Z",
        "orgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
        "shortName": "facebook"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.facebook.com/security/advisories/cve-2019-3568"
        },
        {
          "name": "108329",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/108329"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve-assign@fb.com",
          "DATE_ASSIGNED": "2019-05-09",
          "ID": "CVE-2019-3568",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "WhatsApp for Android",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "!=\u003e",
                            "version_value": "2.19.134"
                          },
                          {
                            "version_affected": "\u003c",
                            "version_value": "2.19.134"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Facebook"
              },
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "WhatsApp Business for Android",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "!=\u003e",
                            "version_value": "2.19.44"
                          },
                          {
                            "version_affected": "\u003c",
                            "version_value": "2.19.134"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Facebook"
              },
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "WhatsApp for iOS",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "!=\u003e",
                            "version_value": "2.19.51"
                          },
                          {
                            "version_affected": "\u003c",
                            "version_value": "2.19.51"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Facebook"
              },
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "WhatsApp Business for iOS",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "!=\u003e",
                            "version_value": "2.19.51"
                          },
                          {
                            "version_affected": "\u003c",
                            "version_value": "2.19.51"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Facebook"
              },
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "WhatsApp for Windows Phone",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "!=\u003e",
                            "version_value": "2.18.348"
                          },
                          {
                            "version_affected": "\u003c",
                            "version_value": "2.18.348"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Facebook"
              },
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "WhatsApp for Tizen",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "!=\u003e",
                            "version_value": "2.18.15"
                          },
                          {
                            "version_affected": "\u003c",
                            "version_value": "2.18.15"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Facebook"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of RTCP packets sent to a target phone number. The issue affects WhatsApp for Android prior to v2.19.134, WhatsApp Business for Android prior to v2.19.44, WhatsApp for iOS prior to v2.19.51, WhatsApp Business for iOS prior to v2.19.51, WhatsApp for Windows Phone prior to v2.18.348, and WhatsApp for Tizen prior to v2.18.15."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Heap-based Buffer Overflow (CWE-122)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.facebook.com/security/advisories/cve-2019-3568",
              "refsource": "MISC",
              "url": "https://www.facebook.com/security/advisories/cve-2019-3568"
            },
            {
              "name": "108329",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/108329"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827",
    "assignerShortName": "facebook",
    "cveId": "CVE-2019-3568",
    "datePublished": "2019-05-14T19:52:40.000Z",
    "dateReserved": "2019-01-02T00:00:00.000Z",
    "dateUpdated": "2025-10-21T23:45:37.464Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "cisa_known_exploited": {
      "cveID": "CVE-2019-3568",
      "cwes": "[\"CWE-122\"]",
      "dateAdded": "2022-04-19",
      "dueDate": "2022-05-10",
      "knownRansomwareCampaignUse": "Unknown",
      "notes": "https://nvd.nist.gov/vuln/detail/CVE-2019-3568",
      "product": "WhatsApp",
      "requiredAction": "Apply updates per vendor instructions.",
      "shortDescription": "A buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of RTCP packets sent to a target phone number.",
      "vendorProject": "Meta Platforms",
      "vulnerabilityName": "WhatsApp VOIP Stack Buffer Overflow Vulnerability"
    },
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://www.facebook.com/security/advisories/cve-2019-3568\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"http://www.securityfocus.com/bid/108329\", \"name\": \"108329\", \"tags\": [\"vdb-entry\", \"x_refsource_BID\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-04T19:12:09.468Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 9.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2019-3568\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"active\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-02-07T12:56:07.366286Z\"}}}, {\"other\": {\"type\": \"kev\", \"content\": {\"dateAdded\": \"2022-04-19\", \"reference\": \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-3568\"}}}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2022-04-19T00:00:00.000Z\", \"value\": \"CVE-2019-3568 added to CISA KEV\"}], \"references\": [{\"url\": \"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-3568\", \"tags\": [\"government-resource\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-02-07T12:56:16.800Z\"}}], \"cna\": {\"affected\": [{\"vendor\": \"Facebook\", \"product\": \"WhatsApp for Android\", \"versions\": [{\"status\": \"affected\", \"version\": \"2.19.134\"}, {\"status\": \"affected\", \"version\": \"unspecified\", \"lessThan\": \"2.19.134\", \"versionType\": \"custom\"}]}, {\"vendor\": \"Facebook\", \"product\": \"WhatsApp Business for Android\", \"versions\": [{\"status\": \"affected\", \"version\": \"2.19.44\"}, {\"status\": \"affected\", \"version\": \"unspecified\", \"lessThan\": \"2.19.134\", \"versionType\": \"custom\"}]}, {\"vendor\": \"Facebook\", \"product\": \"WhatsApp for iOS\", \"versions\": [{\"status\": \"affected\", \"version\": \"2.19.51\"}, {\"status\": \"affected\", \"version\": \"unspecified\", \"lessThan\": \"2.19.51\", \"versionType\": \"custom\"}]}, {\"vendor\": \"Facebook\", \"product\": \"WhatsApp Business for iOS\", \"versions\": [{\"status\": \"affected\", \"version\": \"2.19.51\"}, {\"status\": \"affected\", \"version\": \"unspecified\", \"lessThan\": \"2.19.51\", \"versionType\": \"custom\"}]}, {\"vendor\": \"Facebook\", \"product\": \"WhatsApp for Windows Phone\", \"versions\": [{\"status\": \"affected\", \"version\": \"2.18.348\"}, {\"status\": \"affected\", \"version\": \"unspecified\", \"lessThan\": \"2.18.348\", \"versionType\": \"custom\"}]}, {\"vendor\": \"Facebook\", \"product\": \"WhatsApp for Tizen\", \"versions\": [{\"status\": \"affected\", \"version\": \"2.18.15\"}, {\"status\": \"affected\", \"version\": \"unspecified\", \"lessThan\": \"2.18.15\", \"versionType\": \"custom\"}]}], \"references\": [{\"url\": \"https://www.facebook.com/security/advisories/cve-2019-3568\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"http://www.securityfocus.com/bid/108329\", \"name\": \"108329\", \"tags\": [\"vdb-entry\", \"x_refsource_BID\"]}], \"dateAssigned\": \"2019-05-09T00:00:00.000Z\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"A buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of RTCP packets sent to a target phone number. The issue affects WhatsApp for Android prior to v2.19.134, WhatsApp Business for Android prior to v2.19.44, WhatsApp for iOS prior to v2.19.51, WhatsApp Business for iOS prior to v2.19.51, WhatsApp for Windows Phone prior to v2.18.348, and WhatsApp for Tizen prior to v2.18.15.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-122\", \"description\": \"Heap-based Buffer Overflow (CWE-122)\"}]}], \"providerMetadata\": {\"orgId\": \"4fc57720-52fe-4431-a0fb-3d2c8747b827\", \"shortName\": \"facebook\", \"dateUpdated\": \"2019-08-13T20:57:11.000Z\"}, \"x_legacyV4Record\": {\"affects\": {\"vendor\": {\"vendor_data\": [{\"product\": {\"product_data\": [{\"version\": {\"version_data\": [{\"version_value\": \"2.19.134\", \"version_affected\": \"!=\u003e\"}, {\"version_value\": \"2.19.134\", \"version_affected\": \"\u003c\"}]}, \"product_name\": \"WhatsApp for Android\"}]}, \"vendor_name\": \"Facebook\"}, {\"product\": {\"product_data\": [{\"version\": {\"version_data\": [{\"version_value\": \"2.19.44\", \"version_affected\": \"!=\u003e\"}, {\"version_value\": \"2.19.134\", \"version_affected\": \"\u003c\"}]}, \"product_name\": \"WhatsApp Business for Android\"}]}, \"vendor_name\": \"Facebook\"}, {\"product\": {\"product_data\": [{\"version\": {\"version_data\": [{\"version_value\": \"2.19.51\", \"version_affected\": \"!=\u003e\"}, {\"version_value\": \"2.19.51\", \"version_affected\": \"\u003c\"}]}, \"product_name\": \"WhatsApp for iOS\"}]}, \"vendor_name\": \"Facebook\"}, {\"product\": {\"product_data\": [{\"version\": {\"version_data\": [{\"version_value\": \"2.19.51\", \"version_affected\": \"!=\u003e\"}, {\"version_value\": \"2.19.51\", \"version_affected\": \"\u003c\"}]}, \"product_name\": \"WhatsApp Business for iOS\"}]}, \"vendor_name\": \"Facebook\"}, {\"product\": {\"product_data\": [{\"version\": {\"version_data\": [{\"version_value\": \"2.18.348\", \"version_affected\": \"!=\u003e\"}, {\"version_value\": \"2.18.348\", \"version_affected\": \"\u003c\"}]}, \"product_name\": \"WhatsApp for Windows Phone\"}]}, \"vendor_name\": \"Facebook\"}, {\"product\": {\"product_data\": [{\"version\": {\"version_data\": [{\"version_value\": \"2.18.15\", \"version_affected\": \"!=\u003e\"}, {\"version_value\": \"2.18.15\", \"version_affected\": \"\u003c\"}]}, \"product_name\": \"WhatsApp for Tizen\"}]}, \"vendor_name\": \"Facebook\"}]}}, \"data_type\": \"CVE\", \"references\": {\"reference_data\": [{\"url\": \"https://www.facebook.com/security/advisories/cve-2019-3568\", \"name\": \"https://www.facebook.com/security/advisories/cve-2019-3568\", \"refsource\": \"MISC\"}, {\"url\": \"http://www.securityfocus.com/bid/108329\", \"name\": \"108329\", \"refsource\": \"BID\"}]}, \"data_format\": \"MITRE\", \"description\": {\"description_data\": [{\"lang\": \"eng\", \"value\": \"A buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of RTCP packets sent to a target phone number. The issue affects WhatsApp for Android prior to v2.19.134, WhatsApp Business for Android prior to v2.19.44, WhatsApp for iOS prior to v2.19.51, WhatsApp Business for iOS prior to v2.19.51, WhatsApp for Windows Phone prior to v2.18.348, and WhatsApp for Tizen prior to v2.18.15.\"}]}, \"problemtype\": {\"problemtype_data\": [{\"description\": [{\"lang\": \"eng\", \"value\": \"Heap-based Buffer Overflow (CWE-122)\"}]}]}, \"data_version\": \"4.0\", \"CVE_data_meta\": {\"ID\": \"CVE-2019-3568\", \"STATE\": \"PUBLIC\", \"ASSIGNER\": \"cve-assign@fb.com\", \"DATE_ASSIGNED\": \"2019-05-09\"}}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2019-3568\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-10-21T23:45:37.464Z\", \"dateReserved\": \"2019-01-02T00:00:00.000Z\", \"assignerOrgId\": \"4fc57720-52fe-4431-a0fb-3d2c8747b827\", \"datePublished\": \"2019-05-14T19:52:40.000Z\", \"assignerShortName\": \"facebook\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

GHSA-CMW5-MMG8-R4FR

Vulnerability from github – Published: 2022-05-24 16:45 – Updated: 2025-10-22 00:31

Details

A buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of SRTCP packets sent to a target phone number. The issue affects WhatsApp for Android prior to v2.19.134, WhatsApp Business for Android prior to v2.19.44, WhatsApp for iOS prior to v2.19.51, WhatsApp Business for iOS prior to v2.19.51, WhatsApp for Windows Phone prior to v2.18.348, and WhatsApp for Tizen prior to v2.18.15.

Severity ?

9.8 (Critical)


                  
                    CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2019-3568"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-119",
      "CWE-122",
      "CWE-787"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-05-14T20:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "A buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of SRTCP packets sent to a target phone number. The issue affects WhatsApp for Android prior to v2.19.134, WhatsApp Business for Android prior to v2.19.44, WhatsApp for iOS prior to v2.19.51, WhatsApp Business for iOS prior to v2.19.51, WhatsApp for Windows Phone prior to v2.18.348, and WhatsApp for Tizen prior to v2.18.15.",
  "id": "GHSA-cmw5-mmg8-r4fr",
  "modified": "2025-10-22T00:31:39Z",
  "published": "2022-05-24T16:45:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-3568"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-3568"
    },
    {
      "type": "WEB",
      "url": "https://www.facebook.com/security/advisories/cve-2019-3568"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/108329"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GSD-2019-3568

Vulnerability from gsd - Updated: 2023-12-13 01:24

Details

Aliases

CVE-2019-3568

Aliases

CVE-2019-3568

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2019-3568",
    "description": "A buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of RTCP packets sent to a target phone number. The issue affects WhatsApp for Android prior to v2.19.134, WhatsApp Business for Android prior to v2.19.44, WhatsApp for iOS prior to v2.19.51, WhatsApp Business for iOS prior to v2.19.51, WhatsApp for Windows Phone prior to v2.18.348, and WhatsApp for Tizen prior to v2.18.15.",
    "id": "GSD-2019-3568"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2019-3568"
      ],
      "details": "A buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of RTCP packets sent to a target phone number. The issue affects WhatsApp for Android prior to v2.19.134, WhatsApp Business for Android prior to v2.19.44, WhatsApp for iOS prior to v2.19.51, WhatsApp Business for iOS prior to v2.19.51, WhatsApp for Windows Phone prior to v2.18.348, and WhatsApp for Tizen prior to v2.18.15.",
      "id": "GSD-2019-3568",
      "modified": "2023-12-13T01:24:03.356288Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cve-assign@fb.com",
        "DATE_ASSIGNED": "2019-05-09",
        "ID": "CVE-2019-3568",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "WhatsApp for Android",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "!=\u003e",
                          "version_value": "2.19.134"
                        },
                        {
                          "version_affected": "\u003c",
                          "version_value": "2.19.134"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Facebook"
            },
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "WhatsApp Business for Android",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "!=\u003e",
                          "version_value": "2.19.44"
                        },
                        {
                          "version_affected": "\u003c",
                          "version_value": "2.19.134"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Facebook"
            },
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "WhatsApp for iOS",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "!=\u003e",
                          "version_value": "2.19.51"
                        },
                        {
                          "version_affected": "\u003c",
                          "version_value": "2.19.51"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Facebook"
            },
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "WhatsApp Business for iOS",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "!=\u003e",
                          "version_value": "2.19.51"
                        },
                        {
                          "version_affected": "\u003c",
                          "version_value": "2.19.51"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Facebook"
            },
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "WhatsApp for Windows Phone",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "!=\u003e",
                          "version_value": "2.18.348"
                        },
                        {
                          "version_affected": "\u003c",
                          "version_value": "2.18.348"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Facebook"
            },
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "WhatsApp for Tizen",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "!=\u003e",
                          "version_value": "2.18.15"
                        },
                        {
                          "version_affected": "\u003c",
                          "version_value": "2.18.15"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Facebook"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "A buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of RTCP packets sent to a target phone number. The issue affects WhatsApp for Android prior to v2.19.134, WhatsApp Business for Android prior to v2.19.44, WhatsApp for iOS prior to v2.19.51, WhatsApp Business for iOS prior to v2.19.51, WhatsApp for Windows Phone prior to v2.18.348, and WhatsApp for Tizen prior to v2.18.15."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "Heap-based Buffer Overflow (CWE-122)"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://www.facebook.com/security/advisories/cve-2019-3568",
            "refsource": "MISC",
            "url": "https://www.facebook.com/security/advisories/cve-2019-3568"
          },
          {
            "name": "108329",
            "refsource": "BID",
            "url": "http://www.securityfocus.com/bid/108329"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:whatsapp:whatsapp:*:*:*:*:*:tizen:*:*",
                "cpe_name": [],
                "versionEndExcluding": "2.18.15",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:whatsapp:whatsapp:*:*:*:*:*:windows_phone:*:*",
                "cpe_name": [],
                "versionEndExcluding": "2.18.348",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:whatsapp:whatsapp:*:*:*:*:*:iphone_os:*:*",
                "cpe_name": [],
                "versionEndExcluding": "2.19.51",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:whatsapp:whatsapp:*:*:*:*:*:android:*:*",
                "cpe_name": [],
                "versionEndExcluding": "2.19.134",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:whatsapp:whatsapp:*:*:*:*:business:iphone_os:*:*",
                "cpe_name": [],
                "versionEndExcluding": "2.19.51",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:whatsapp:whatsapp:*:*:*:*:business:android:*:*",
                "cpe_name": [],
                "versionEndExcluding": "2.19.44",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "cve-assign@fb.com",
          "ID": "CVE-2019-3568"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "A buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of RTCP packets sent to a target phone number. The issue affects WhatsApp for Android prior to v2.19.134, WhatsApp Business for Android prior to v2.19.44, WhatsApp for iOS prior to v2.19.51, WhatsApp Business for iOS prior to v2.19.51, WhatsApp for Windows Phone prior to v2.18.348, and WhatsApp for Tizen prior to v2.18.15."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-119"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.facebook.com/security/advisories/cve-2019-3568",
              "refsource": "MISC",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://www.facebook.com/security/advisories/cve-2019-3568"
            },
            {
              "name": "108329",
              "refsource": "BID",
              "tags": [
                "Third Party Advisory",
                "VDB Entry"
              ],
              "url": "http://www.securityfocus.com/bid/108329"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 7.5,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 6.4,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "HIGH",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2019-08-13T21:15Z",
      "publishedDate": "2019-05-14T20:29Z"
    }
  }
}

CNVD-2019-16415

Vulnerability from cnvd - Published: 2019-06-04

Title

Facebook WhatsApp缓冲区溢出漏洞

Description

Facebook WhatsApp是美国Facebook公司的一套利用网络传送短信的移动应用程序。 Facebook WhatsApp存在缓冲区溢出漏洞，允许远程攻击者利用漏洞提交特殊的请求，可以应用程序上下文执行任意代码。

Severity

高

Patch Name

Facebook WhatsApp缓冲区溢出漏洞的补丁

Patch Description

Facebook WhatsApp是美国Facebook公司的一套利用网络传送短信的移动应用程序。 Facebook WhatsApp存在缓冲区溢出漏洞，允许远程攻击者利用漏洞提交特殊的请求，可以应用程序上下文执行任意代码。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://www.facebook.com/security/advisories/cve-2019-3568

Reference

https://securityaffairs.co/wordpress/85477/breaking-news/whatsapp-zero-day.html

Impacted products

Name
['Facebook WhatsApp Messenger for Android 2.17.146', 'Facebook WhatsApp for Windows 2.19.43', 'Facebook WhatsApp for Tizen 2.18.14', 'Facebook WhatsApp for iOS 2.19.50', 'Facebook WhatsApp for Android 2.19.133', 'Facebook WhatsApp Business for iOS 2.19.42', 'Facebook WhatsApp Business for Android 2.19.43']

Show details on source website

JSON

To clipboard

{
  "bids": {
    "bid": {
      "bidNumber": "108329"
    }
  },
  "cves": {
    "cve": {
      "cveNumber": "CVE-2019-3568"
    }
  },
  "description": "Facebook WhatsApp\u662f\u7f8e\u56fdFacebook\u516c\u53f8\u7684\u4e00\u5957\u5229\u7528\u7f51\u7edc\u4f20\u9001\u77ed\u4fe1\u7684\u79fb\u52a8\u5e94\u7528\u7a0b\u5e8f\u3002\n\nFacebook WhatsApp\u5b58\u5728\u7f13\u51b2\u533a\u6ea2\u51fa\u6f0f\u6d1e\uff0c\u5141\u8bb8\u8fdc\u7a0b\u653b\u51fb\u8005\u5229\u7528\u6f0f\u6d1e\u63d0\u4ea4\u7279\u6b8a\u7684\u8bf7\u6c42\uff0c\u53ef\u4ee5\u5e94\u7528\u7a0b\u5e8f\u4e0a\u4e0b\u6587\u6267\u884c\u4efb\u610f\u4ee3\u7801\u3002",
  "discovererName": "Facebook",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://www.facebook.com/security/advisories/cve-2019-3568",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2019-16415",
  "openTime": "2019-06-04",
  "patchDescription": "Facebook WhatsApp\u662f\u7f8e\u56fdFacebook\u516c\u53f8\u7684\u4e00\u5957\u5229\u7528\u7f51\u7edc\u4f20\u9001\u77ed\u4fe1\u7684\u79fb\u52a8\u5e94\u7528\u7a0b\u5e8f\u3002\r\n\r\nFacebook WhatsApp\u5b58\u5728\u7f13\u51b2\u533a\u6ea2\u51fa\u6f0f\u6d1e\uff0c\u5141\u8bb8\u8fdc\u7a0b\u653b\u51fb\u8005\u5229\u7528\u6f0f\u6d1e\u63d0\u4ea4\u7279\u6b8a\u7684\u8bf7\u6c42\uff0c\u53ef\u4ee5\u5e94\u7528\u7a0b\u5e8f\u4e0a\u4e0b\u6587\u6267\u884c\u4efb\u610f\u4ee3\u7801\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Facebook WhatsApp\u7f13\u51b2\u533a\u6ea2\u51fa\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Facebook WhatsApp Messenger for Android 2.17.146",
      "Facebook WhatsApp for Windows 2.19.43",
      "Facebook WhatsApp for Tizen 2.18.14",
      "Facebook WhatsApp for iOS 2.19.50",
      "Facebook WhatsApp for Android 2.19.133",
      "Facebook WhatsApp Business for iOS 2.19.42",
      "Facebook WhatsApp Business for Android 2.19.43"
    ]
  },
  "referenceLink": "https://securityaffairs.co/wordpress/85477/breaking-news/whatsapp-zero-day.html",
  "serverity": "\u9ad8",
  "submitTime": "2019-05-14",
  "title": "Facebook WhatsApp\u7f13\u51b2\u533a\u6ea2\u51fa\u6f0f\u6d1e"
}

CVE-2019-3568

Vulnerability from fstec - Published: 13.05.2019

Title

Уязвимость приложения для обмена сообщениями и видеозвонков WhatsApp, связанная с выходом операции за границы буфера, позволяющая нарушителю выполнить произвольный код

Description

Уязвимость приложения для обмена сообщениями и видеозвонков WhatsApp связана с выходом операции за границы буфера при обработке SRTCP-пакетов. Эксплуатация уязвимости может позволить нарушителю, действующему удалённо, выполнить произвольный код путем отправки специально созданных SRTCP-пакетов

Severity ?


                    
                      AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Vendor

Meta Platforms Inc

Software Name

WhatsApp for Android, WhatsApp Business for Android, WhatsApp for iOS, WhatsApp Business for iOS, WhatsApp for Windows Phone, WhatsApp for Tizen

Software Version

до 2.19.134 (WhatsApp for Android), до 2.19.44 (WhatsApp Business for Android), до 2.19.51 (WhatsApp for iOS), до 2.19.51 (WhatsApp Business for iOS), до 2.18.348 (WhatsApp for Windows Phone), до 2.18.15 (WhatsApp for Tizen)

Possible Mitigations

Установка актуальной версии программного обеспечения: https://www.whatsapp.com/download

Reference

http://www.securityfocus.com/bid/108329 https://www.facebook.com/security/advisories/cve-2019-3568 https://www.cybersecurity-help.cz/vdb/SB2019051401 https://www.securitylab.ru/news/499075.php https://www.cisa.gov/sites/default/files/csv/known_exploited_vulnerabilities.csv

CWE

CWE-119, CWE-122

JSON

To clipboard

{
  "CVSS 2.0": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
  "CVSS 3.0": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
  "CVSS 4.0": null,
  "remediation_\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": null,
  "remediation_\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435": null,
  "\u0412\u0435\u043d\u0434\u043e\u0440 \u041f\u041e": "Meta Platforms Inc",
  "\u0412\u0435\u0440\u0441\u0438\u044f \u041f\u041e": "\u0434\u043e 2.19.134 (WhatsApp for Android), \u0434\u043e 2.19.44 (WhatsApp Business for Android), \u0434\u043e 2.19.51 (WhatsApp for iOS), \u0434\u043e 2.19.51 (WhatsApp Business for iOS), \u0434\u043e 2.18.348 (WhatsApp for Windows Phone), \u0434\u043e 2.18.15 (WhatsApp for Tizen)",
  "\u0412\u043e\u0437\u043c\u043e\u0436\u043d\u044b\u0435 \u043c\u0435\u0440\u044b \u043f\u043e \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044e": "\u0423\u0441\u0442\u0430\u043d\u043e\u0432\u043a\u0430 \u0430\u043a\u0442\u0443\u0430\u043b\u044c\u043d\u043e\u0439 \u0432\u0435\u0440\u0441\u0438\u0438 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f:\nhttps://www.whatsapp.com/download",
  "\u0414\u0430\u0442\u0430 \u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f": "13.05.2019",
  "\u0414\u0430\u0442\u0430 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0433\u043e \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f": "24.09.2024",
  "\u0414\u0430\u0442\u0430 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0438": "12.11.2021",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": "BDU:2021-05420",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u044b \u0434\u0440\u0443\u0433\u0438\u0445 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "CVE-2019-3568",
  "\u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0430",
  "\u041a\u043b\u0430\u0441\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043e\u0434\u0430",
  "\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u041f\u041e": "WhatsApp for Android, WhatsApp Business for Android, WhatsApp for iOS, WhatsApp Business for iOS, WhatsApp for Windows Phone, WhatsApp for Tizen",
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u041e\u0421 \u0438 \u0442\u0438\u043f \u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b": null,
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u044f \u0434\u043b\u044f \u043e\u0431\u043c\u0435\u043d\u0430 \u0441\u043e\u043e\u0431\u0449\u0435\u043d\u0438\u044f\u043c\u0438 \u0438 \u0432\u0438\u0434\u0435\u043e\u0437\u0432\u043e\u043d\u043a\u043e\u0432 WhatsApp, \u0441\u0432\u044f\u0437\u0430\u043d\u043d\u0430\u044f \u0441 \u0432\u044b\u0445\u043e\u0434\u043e\u043c \u043e\u043f\u0435\u0440\u0430\u0446\u0438\u0438 \u0437\u0430 \u0433\u0440\u0430\u043d\u0438\u0446\u044b \u0431\u0443\u0444\u0435\u0440\u0430, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0430\u044f \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u0432\u044b\u043f\u043e\u043b\u043d\u0438\u0442\u044c \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u043b\u044c\u043d\u044b\u0439 \u043a\u043e\u0434",
  "\u041d\u0430\u043b\u0438\u0447\u0438\u0435 \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442\u0430": "\u0421\u0443\u0449\u0435\u0441\u0442\u0432\u0443\u0435\u0442",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "\u0412\u044b\u0445\u043e\u0434 \u043e\u043f\u0435\u0440\u0430\u0446\u0438\u0438 \u0437\u0430 \u0433\u0440\u0430\u043d\u0438\u0446\u044b \u0431\u0443\u0444\u0435\u0440\u0430 \u0432 \u043f\u0430\u043c\u044f\u0442\u0438 (CWE-119), \u041f\u0435\u0440\u0435\u043f\u043e\u043b\u043d\u0435\u043d\u0438\u0435 \u0431\u0443\u0444\u0435\u0440\u0430 \u0432 \u0434\u0438\u043d\u0430\u043c\u0438\u0447\u0435\u0441\u043a\u043e\u0439 \u043f\u0430\u043c\u044f\u0442\u0438 (CWE-122)",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u044f \u0434\u043b\u044f \u043e\u0431\u043c\u0435\u043d\u0430 \u0441\u043e\u043e\u0431\u0449\u0435\u043d\u0438\u044f\u043c\u0438 \u0438 \u0432\u0438\u0434\u0435\u043e\u0437\u0432\u043e\u043d\u043a\u043e\u0432 WhatsApp \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u0432\u044b\u0445\u043e\u0434\u043e\u043c \u043e\u043f\u0435\u0440\u0430\u0446\u0438\u0438 \u0437\u0430 \u0433\u0440\u0430\u043d\u0438\u0446\u044b \u0431\u0443\u0444\u0435\u0440\u0430 \u043f\u0440\u0438 \u043e\u0431\u0440\u0430\u0431\u043e\u0442\u043a\u0435 SRTCP-\u043f\u0430\u043a\u0435\u0442\u043e\u0432. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e, \u0434\u0435\u0439\u0441\u0442\u0432\u0443\u044e\u0449\u0435\u043c\u0443 \u0443\u0434\u0430\u043b\u0451\u043d\u043d\u043e, \u0432\u044b\u043f\u043e\u043b\u043d\u0438\u0442\u044c \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u043b\u044c\u043d\u044b\u0439 \u043a\u043e\u0434 \u043f\u0443\u0442\u0435\u043c \u043e\u0442\u043f\u0440\u0430\u0432\u043a\u0438 \u0441\u043f\u0435\u0446\u0438\u0430\u043b\u044c\u043d\u043e \u0441\u043e\u0437\u0434\u0430\u043d\u043d\u044b\u0445 SRTCP-\u043f\u0430\u043a\u0435\u0442\u043e\u0432",
  "\u041f\u043e\u0441\u043b\u0435\u0434\u0441\u0442\u0432\u0438\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": null,
  "\u041f\u0440\u043e\u0447\u0430\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f": null,
  "\u0421\u0432\u044f\u0437\u044c \u0441 \u0438\u043d\u0446\u0438\u0434\u0435\u043d\u0442\u0430\u043c\u0438 \u0418\u0411": "\u0414\u0430",
  "\u0421\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d\u0430",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044f": "\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438": "\u041c\u0430\u043d\u0438\u043f\u0443\u043b\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u0435 \u0441\u0442\u0440\u0443\u043a\u0442\u0443\u0440\u0430\u043c\u0438 \u0434\u0430\u043d\u043d\u044b\u0445",
  "\u0421\u0441\u044b\u043b\u043a\u0438 \u043d\u0430 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0438": "http://www.securityfocus.com/bid/108329\nhttps://www.facebook.com/security/advisories/cve-2019-3568\nhttps://www.cybersecurity-help.cz/vdb/SB2019051401\nhttps://www.securitylab.ru/news/499075.php\nhttps://www.cisa.gov/sites/default/files/csv/known_exploited_vulnerabilities.csv",
  "\u0421\u0442\u0430\u0442\u0443\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0430 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u0435\u043c",
  "\u0422\u0438\u043f \u041f\u041e": "\u041f\u0440\u0438\u043a\u043b\u0430\u0434\u043d\u043e\u0435 \u041f\u041e \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0445 \u0441\u0438\u0441\u0442\u0435\u043c",
  "\u0422\u0438\u043f \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "CWE-119, CWE-122",
  "\u0423\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041a\u0440\u0438\u0442\u0438\u0447\u0435\u0441\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 2.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 10)\n\u041a\u0440\u0438\u0442\u0438\u0447\u0435\u0441\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 3.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 9,8)"
}

FKIE_CVE-2019-3568

Vulnerability from fkie_nvd - Published: 2019-05-14 20:29 - Updated: 2025-10-24 14:14

Severity ?

9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

References

URL	Tags
cve-assign@fb.com	http://www.securityfocus.com/bid/108329	Broken Link, Third Party Advisory, VDB Entry
cve-assign@fb.com	https://www.facebook.com/security/advisories/cve-2019-3568	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.securityfocus.com/bid/108329	Broken Link, Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108	https://www.facebook.com/security/advisories/cve-2019-3568	Third Party Advisory
134c704f-9b21-4f2e-91b3-4a467353bcc0	https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-3568	US Government Resource

Impacted products

Vendor	Product	Version
whatsapp	whatsapp	*
whatsapp	whatsapp	*
whatsapp	whatsapp	*
whatsapp	whatsapp	*
whatsapp	whatsapp_business	*
whatsapp	whatsapp_business	*

JSON

To clipboard

{
  "cisaActionDue": "2022-05-10",
  "cisaExploitAdd": "2022-04-19",
  "cisaRequiredAction": "Apply updates per vendor instructions.",
  "cisaVulnerabilityName": "WhatsApp VOIP Stack Buffer Overflow Vulnerability",
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:whatsapp:whatsapp:*:*:*:*:*:tizen:*:*",
              "matchCriteriaId": "49A0C7E5-1C25-4EA2-9436-A7922ACACB9B",
              "versionEndExcluding": "2.18.15",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:whatsapp:whatsapp:*:*:*:*:*:windows_phone:*:*",
              "matchCriteriaId": "449816D3-570F-47D7-A70D-9351A4A6F190",
              "versionEndExcluding": "2.18.348",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:whatsapp:whatsapp:*:*:*:*:*:iphone_os:*:*",
              "matchCriteriaId": "84F1BA88-BA43-4857-B4C2-A32FA2937C11",
              "versionEndExcluding": "2.19.51",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:whatsapp:whatsapp:*:*:*:*:*:android:*:*",
              "matchCriteriaId": "B36B6FF7-DC69-4A5C-9FE7-EB127E6D0AA1",
              "versionEndExcluding": "2.19.134",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:whatsapp:whatsapp_business:*:*:*:*:*:android:*:*",
              "matchCriteriaId": "FB312499-524D-46A2-AB2C-5B96B84C2733",
              "versionEndExcluding": "2.19.44",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:whatsapp:whatsapp_business:*:*:*:*:*:iphone_os:*:*",
              "matchCriteriaId": "F582A5FE-D7DF-47AD-9785-9C7BF7606DD7",
              "versionEndExcluding": "2.19.51",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of RTCP packets sent to a target phone number. The issue affects WhatsApp for Android prior to v2.19.134, WhatsApp Business for Android prior to v2.19.44, WhatsApp for iOS prior to v2.19.51, WhatsApp Business for iOS prior to v2.19.51, WhatsApp for Windows Phone prior to v2.18.348, and WhatsApp for Tizen prior to v2.18.15."
    },
    {
      "lang": "es",
      "value": "Una vulnerabilidad de desbordamiento de b\u00fafer en la pila VOIP de WhatsApp permiti\u00f3 la ejecuci\u00f3n remota de c\u00f3digo a trav\u00e9s de una serie de paquetes RTCP especialmente dise\u00f1ados que se enviaron a un n\u00famero de tel\u00e9fono de destino. El problema afecta a WhatsApp para Android anterior a v2.19.134, WhatsApp Business para Android anterior a v2.19.44, WhatsApp para iOS anterior a v2.19.51, WhatsApp Business para iOS anterior a v2.19.51, WhatsApp para Windows Phone antes de v2.18.348 , y WhatsApp para Tizen antes de v2.18.15."
    }
  ],
  "id": "CVE-2019-3568",
  "lastModified": "2025-10-24T14:14:39.417",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "HIGH",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 7.5,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2019-05-14T20:29:03.187",
  "references": [
    {
      "source": "cve-assign@fb.com",
      "tags": [
        "Broken Link",
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.securityfocus.com/bid/108329"
    },
    {
      "source": "cve-assign@fb.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://www.facebook.com/security/advisories/cve-2019-3568"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Broken Link",
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.securityfocus.com/bid/108329"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://www.facebook.com/security/advisories/cve-2019-3568"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "tags": [
        "US Government Resource"
      ],
      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-3568"
    }
  ],
  "sourceIdentifier": "cve-assign@fb.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-122"
        }
      ],
      "source": "cve-assign@fb.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-787"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2019-3568 (GCVE-0-2019-3568)

GHSA-CMW5-MMG8-R4FR

GSD-2019-3568

CNVD-2019-16415

CVE-2019-3568

FKIE_CVE-2019-3568

Tags

Sightings

Nomenclature