Two vulnerabilities in WhatsApp’s messaging software for Android and iOS that might allow remote code execution on weak devices have been fixed with security updates.
One of these involves WhatsApp’s serious integer overflow vulnerability CVE-2022-36934 (CVSS score: 9.8), which allows arbitrary code to be executed only by starting a video conversation.
Prior to version 2.22.16.12, the problem affects WhatsApp and WhatsApp Business for Android and iOS.
An integer underflow bug, which is the opposite category of errors that happen when the outcome of an operation is too tiny for storing the value within the allocated memory space, was also fixed by the Meta-owned messaging system.
It affects WhatsApp for Android prior to version 2.22.16.2 and WhatsApp for iOS prior to version 2.22.15.9, and it has the CVE identifier CVE-2022-27492 (CVSS score: 7.8). It could be activated by receiving a specially crafted video file.
A first step toward causing undesirable behaviour, such as unexpected crashes, memory corruption, and code execution, is to exploit integer overflows and underflows.
More information about the flaws was withheld by WhatsApp, but cybersecurity company Malwarebytes said that they are present in two parts known as Video Call Handler and Video File Handler and might allow an attacker to take over the programme.
When trying to install malicious software on infected devices, threat actors may find WhatsApp vulnerabilities to be a lucrative attack vector. The Israeli spyware manufacturer NSO Group used an audio calling weakness in 2019 to insert the Pegasus spyware.