CVE-2022-36934: WhatsApp execute arbitrary code flaw

WhatsApp recently addressed two security vulnerabilities in its messaging app for Android and iOS that could have been exploited to execute malicious code remotely on the device.

Rated as critical severity (CVSS score: 9.8), CVE-2022-36934 impacts all versions of the Android prior to v2.22.16.12, Business for Android prior to v2.22.16.12, iOS prior to v2.22.16.12, Business for iOS prior to v2.22.16.12. This flaw is caused by an integer overflow. By sending a specially-crafted call, an attacker could exploit this vulnerability to execute arbitrary code on the system.

“An integer overflow in WhatsApp for Android prior to v2.22.16.12, Business for Android prior to v2.22.16.12, iOS prior to v2.22.16.12, Business for iOS prior to v2.22.16.12 could result in remote code execution in an established video call,” read the WhatApp advisory.

Another bug, tracked as CVE-2022-27492, is also an integer underflow and affects WhatsApp for Android prior to v2.22.16.2, and WhatsApp for iOS v2.22.15.9. When receiving a crafted video file, an attacker could exploit this vulnerability to execute arbitrary code on the system.

WhatsApp users are recommended to update to version v2.22.16.12 to mitigate the risk associated with the CVE-2022-36934 and CVE-2022-27492 flaws. The company says there is no indication that any of the flaws patched in this update have been exploited for malicious purposes.