Two vulnerabilities in WhatsApp’s messaging software for Android and iOS that might have allowed remote code execution on weak devices have been fixed with security updates. One of these involves WhatsApp’s serious integer overflow vulnerability CVE-2022-36934 (CVSS score: 9.8), which allows malicious code to be executed only by starting a video conversation.
Before version 22.214.171.124, the problem affected both WhatsApp and WhatsApp Business for Android and iOS. An integer underflow bug, which is the opposite category of errors that happen when the outcome of an operation is too small to store the value within the allocated memory space, was also fixed by the Meta-owned messaging platform.
The high-severity flaw, designated CVE-2022-27492 (CVSS score: 7.8), affects versions of WhatsApp for Android and iOS before 126.96.36.199 and 188.8.131.52, respectively. It might be activated by receiving a specially constructed video file. Utilizing integer overflows and underflows to cause unexpected crashes, memory corruption, and code execution is the first step toward triggering undesirable behaviour.
WhatsApp withheld more information about the flaws, but cybersecurity company Malwarebytes said that they are present in two parts known as Video Call Handler and Video File Handler and might allow an attacker to take over the program. When installing malicious software on infected devices, threat actors may find WhatsApp vulnerabilities a lucrative attack vector.
Updating Apps can never be overemphasized. Ensure to update your Apps today.