WhatsApp has published details of a “critical” vulnerability that has been patched in a newer version of the app, but may still affect older installations that have not been updated.
Details were disclosed in a September update to the WhatsApp page on security advisories that affect the app and came to light on September 23.
The critical bug would allow an attacker to exploit a code flaw known as an integer overflow, allowing them to run their own code on a victim’s smartphone after sending a specially crafted video call. Remote code execution vulnerabilities are an important step in installing malware, spyware or other malicious applications on a target system as they give attackers a foot in the door that can be used to further compromise the machine using techniques such as privilege escalation attacks.
The recently revealed vulnerability has been given the identification number CVE-2022-36934 in the National Vulnerability Database and received a severity score of 9.8 out of 10 on the CVE scale. This corresponds to the highest possible threat level: ‘critical’.
In the same security advisory update, WhatsApp also shared details about another vulnerability: CVE-2022-27492 — which allows attackers to execute code after sending a malicious video file. This vulnerability was rated 7.8 out of 10, or a severity level of ‘high’.
Both vulnerabilities have been patched in recently updated versions of WhatsApp and should already be fixed in any installation of the app that is set to update automatically (the default on most phones). According to the security advisory, the vulnerabilities affect:
- WhatsApp for Android before v126.96.36.199
- WhatsApp Business for Android older than v188.8.131.52
- WhatsApp for iOS before v184.108.40.206
- WhatsApp Business for iOS before v220.127.116.11
In addition to protecting against possible hacking exploits, there are even more reasons to keep your WhatsApp installation up to date. On Monday, the company announced it was rolling out a new feature that allows users to share a one-click link to join a group conversation and also test the implementation of 32-person encrypted video chats.