cbcvebase.
CVE-2019-11932
published 2019-10-03

CVE-2019-11932: A double free vulnerability in the DDGifSlurp function in decoding.c in the android-gif-drawable library before version 1.2.18, as used in WhatsApp for Android…

PriorityP270high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
44.53%
98.6th percentile
A double free vulnerability in the DDGifSlurp function in decoding.c in the android-gif-drawable library before version 1.2.18, as used in WhatsApp for Android before version 2.19.244 and many other Android applications, allows remote attackers to execute arbitrary code or cause a denial of service when the library is used to parse a specially crafted GIF image.

Affected

3 ranges
VendorProductVersion rangeFixed in
android-gif-drawable_projectandroid-gif-drawable< 1.2.181.2.18
koralandroid-gif-drawable>= unspecified < 1.2.181.2.18
whatsappwhatsapp< 2.19.2442.19.244

Detection & IOCsextracted from sources · hover to see the quote

filenamelibpl_droidsonroids_gif.so
  • Exploitation overwrites the GifInfo->rewindFunction pointer with a ROP gadget address to achieve arbitrary code execution. Memory forensics or crash analysis should look for corrupted GifInfo structures with unexpected rewindFunction values.
  • Vulnerable apps can be identified by extracting and checking the SHA256 of the bundled libpl_droidsonroids_gif.so. The known vulnerable library hash is F613296C6076DF86671D1B51739A23802169541B1057D40B2C61BF583032C9F9.
  • ·The vulnerability exists in android-gif-drawable versions before 1.2.18. Apps on Google Play and third-party stores (1mobile, 9Apps, 91 market, APKPure, Aptoide, 360 Market, PP Assistant, QQ Market, Xiaomi Market) may still ship the vulnerable library even after WhatsApp itself was patched.
  • ·The patched version of libpl_droidsonroids_gif.so (present in WhatsApp 2.19.291+) adds a check so that if width*height is 0, free is called and info->rasterBits is set to null, preventing the double-free. Bin diff between WhatsApp 2.19.216 (vulnerable) and 2.19.291 (patched) confirms the fix.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.