cbcvebase.
CVE-2019-3568
published 2019-05-14

CVE-2019-3568: A buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of RTCP packets sent to a target phone…

PriorityP190critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2022-05-10
Exploited in the wild
EPSS
39.17%
98.4th percentile
A buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of RTCP packets sent to a target phone number. The issue affects WhatsApp for Android prior to v2.19.134, WhatsApp Business for Android prior to v2.19.44, WhatsApp for iOS prior to v2.19.51, WhatsApp Business for iOS prior to v2.19.51, WhatsApp for Windows Phone prior to v2.18.348, and WhatsApp for Tizen prior to v2.18.15.

Affected

18 ranges
VendorProductVersion rangeFixed in
facebookwhatsapp_business_for_android
facebookwhatsapp_business_for_android>= unspecified < 2.19.1342.19.134
facebookwhatsapp_business_for_ios
facebookwhatsapp_business_for_ios>= unspecified < 2.19.512.19.51
facebookwhatsapp_for_android
facebookwhatsapp_for_android>= unspecified < 2.19.1342.19.134
facebookwhatsapp_for_ios
facebookwhatsapp_for_ios>= unspecified < 2.19.512.19.51
facebookwhatsapp_for_tizen
facebookwhatsapp_for_tizen>= unspecified < 2.18.152.18.15
facebookwhatsapp_for_windows_phone
facebookwhatsapp_for_windows_phone>= unspecified < 2.18.3482.18.348
whatsappwhatsapp< 2.18.152.18.15
whatsappwhatsapp< 2.18.3482.18.348
whatsappwhatsapp< 2.19.512.19.51
whatsappwhatsapp< 2.19.1342.19.134
whatsappwhatsapp_business< 2.19.442.19.44
whatsappwhatsapp_business< 2.19.512.19.51

Detection & IOCsextracted from sources · hover to see the quote

hash1d8cf2c9c12bf82bf3618becfec34ff7
hash4203e31024d009c55cb8b1d7a4e28064
hash4b99fb9de0e31004525f99c8a8ea6e46
  • The vulnerability is triggered via specially crafted RTCP/SRTCP packets sent to the target's phone number over VoIP — exploitation occurs even if the call is not answered. Monitor for anomalous RTCP traffic directed at WhatsApp VoIP endpoints.
  • The overflow occurs in the SRTCP/RTCP packet handler before the call is answered. Packets exceeding 1480 bytes (0x5C8) in the length field of the RTCP handler are the trigger condition — network-level detection should flag oversized RTCP packets targeting WhatsApp VoIP.
  • The patched function is a major RTCP handler called before the WhatsApp voice call is answered — detection should focus on the pre-answer call-setup phase of WhatsApp VoIP sessions.
  • Fake WhatsApp update APKs posing as a CVE-2019-3568 patch were the primary BRATA distribution vector — flag sideloaded APKs claiming to be WhatsApp updates from non-official sources.
  • When recipients received WhatsApp VoIP calls exploiting CVE-2019-3568, even unanswered calls resulted in Pegasus spyware installation — alert on WhatsApp process spawning unexpected child processes or network connections post-call-receipt.
  • ·NSO Group used at least one additional zero-day in WhatsApp beyond CVE-2019-3568 — patching this CVE alone does not fully remediate NSO's attack surface against WhatsApp.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.