Login Sign Up

CVE-2019-11933

9.8 CRITICAL
Remote Code Execution Buffer Overflow

📋 TL;DR

A heap buffer overflow vulnerability in WhatsApp's GIF processing library allows remote attackers to execute arbitrary code or cause denial of service. This affects WhatsApp for Android users who receive specially crafted GIF files. The vulnerability is in libpl_droidsonroids_gif library versions before 1.2.19.

💻 Affected Systems

Products:
  • WhatsApp for Android
  • Applications using libpl_droidsonroids_gif library
Versions: WhatsApp for Android before version 2.19.291, libpl_droidsonroids_gif before 1.2.19
Operating Systems: Android
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability is triggered when processing specially crafted GIF files. All default WhatsApp configurations are vulnerable.

📦 What is this software?

Libpl Droidsonroids Gif by Libpl Droidsonroids Gif Project

View all CVEs affecting Libpl Droidsonroids Gif →

Whatsapp by Whatsapp

View all CVEs affecting Whatsapp →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with full compromise of WhatsApp application and potential access to device data, contacts, messages, and media.

🟠

Likely Case

Application crash leading to denial of service, with potential for limited data exposure.

🟢

If Mitigated

Application crash with no data compromise if exploit fails or is detected.

🌐 Internet-Facing: HIGH - Attack can be triggered remotely via received GIF files without user interaction.
🏢 Internal Only: LOW - This is primarily an external attack vector via received media files.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploit requires sending a malicious GIF file to target. No authentication or user interaction needed beyond receiving the file.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: WhatsApp for Android 2.19.291 or later, libpl_droidsonroids_gif 1.2.19 or later

Vendor Advisory: https://www.facebook.com/security/advisories/cve-2019-11933

Restart Required: Yes

Instructions:

1. Update WhatsApp from Google Play Store to version 2.19.291 or later. 2. For developers using libpl_droidsonroids_gif, update dependency to version 1.2.19 or later in build.gradle.

🔧 Temporary Workarounds

Disable automatic media download

android

Prevent automatic download of GIF files which could trigger the vulnerability

Settings > Data and storage usage > Media auto-download > Uncheck 'When using mobile data', 'When connected on Wi-Fi', and 'When roaming' for GIFs

🧯 If You Can't Patch

  • Disable WhatsApp GIF functionality via MDM policies if available
  • Implement network filtering to block GIF files at perimeter

🔍 How to Verify

Check if Vulnerable:

Check WhatsApp version in Settings > Help > App info. If version is below 2.19.291, you are vulnerable.

Check Version:

adb shell dumpsys package com.whatsapp | grep versionName

Verify Fix Applied:

Confirm WhatsApp version is 2.19.291 or higher in Settings > Help > App info.

📡 Detection & Monitoring

Log Indicators:

  • WhatsApp crash logs with memory corruption errors
  • Unexpected WhatsApp process termination

Network Indicators:

  • Unusual GIF file transfers to WhatsApp users
  • GIF files with abnormal structure or size

SIEM Query:

source="whatsapp" AND (event="crash" OR event="memory_error")

📊 Metadata

CVE ID: CVE-2019-11933
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-119
Published: October 23, 2019
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-11933, you might also want to check these:

CVE-2024-23613 10.0

A critical buffer overflow vulnerability in Symantec Deployment Solution 7.9 allows remote, unauthen...

Same vulnerability type (CWE-119)
CVE-2024-23615 10.0

A critical buffer overflow vulnerability in Symantec Messaging Gateway allows remote unauthenticated...

Same vulnerability type (CWE-119)
CVE-2026-2776 10.0

This CVE describes a sandbox escape vulnerability in Firefox's Telemetry component due to incorrect ...

Same vulnerability type (CWE-119)