CVE-2019-11932

HIGH

WhatsApp < 2.19.244 - Remote Code Execution via GIF Image Parsing

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 22 public exploits for CVE-2019-11932. PoCs published by Valerio Brussani, dorkerdevil, awakened1712.

AI-analyzed exploit summary This exploit calculates the address of the system() function and a ROP gadget in libhwui.so to exploit a remote code execution vulnerability in WhatsApp versions prior to 2.19.244. It is designed to be used in conjunction with a malicious GIF file to achieve RCE.

Description

A double free vulnerability in the DDGifSlurp function in decoding.c in the android-gif-drawable library before version 1.2.18, as used in WhatsApp for Android before version 2.19.244 and many other Android applications, allows remote attackers to execute arbitrary code or cause a denial of service when the library is used to parse a specially crafted GIF image.

Exploits (22)

exploitdb WORKING POC
by Valerio Brussani · c++remoteandroid
https://www.exploit-db.com/exploits/47515

This exploit calculates the address of the system() function and a ROP gadget in libhwui.so to exploit a remote code execution vulnerability in WhatsApp versions prior to 2.19.244. It is designed to be used in conjunction with a malicious GIF file to achieve RCE.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: WhatsApp < 2.19.244
No auth needed
Prerequisites: Malicious GIF file · Target device running vulnerable WhatsApp version
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 268 stars
by dorkerdevil · poc
https://github.com/dorkerdevil/CVE-2019-11932

This repository contains a functional exploit for CVE-2019-11932, a double-free vulnerability in WhatsApp. The exploit generates a malicious GIF file that, when sent to a victim, triggers a double-free condition leading to remote code execution (RCE) via a crafted payload.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: WhatsApp (specific version not specified)
No auth needed
Prerequisites: Victim must open the malicious GIF file in WhatsApp
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 208 stars
by awakened1712 · poc
https://github.com/awakened1712/CVE-2019-11932

This repository contains a functional exploit for CVE-2019-11932, targeting a heap overflow vulnerability in the GIF library (gif_lib). The exploit includes crafted GIF data to trigger the vulnerability and achieve remote code execution (RCE) via a gadget-based approach.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: GIF library (gif_lib) in Android applications
No auth needed
Prerequisites: Target application using vulnerable gif_lib · Ability to deliver malicious GIF file
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 38 stars
by valbrux · poc
https://github.com/valbrux/CVE-2019-11932-SupportApp

This repository contains a functional PoC for CVE-2019-11932, a WhatsApp GIF RCE vulnerability. It includes native code to calculate the system() function address and ROP gadget addresses for different devices, which are essential for exploiting the vulnerability.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: WhatsApp
No auth needed
Prerequisites: Access to the target device · Ability to send crafted GIF files to the target
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 33 stars
by Err0r-ICA · poc
https://github.com/Err0r-ICA/WhatsPayloadRCE

This repository contains a functional exploit for CVE-2019-11932, a WhatsApp remote code execution vulnerability. The exploit generates a malicious GIF file that, when sent to a victim and opened, triggers a reverse shell connection to an attacker-controlled server.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: WhatsApp (versions prior to 2.19.244)
No auth needed
Prerequisites: Victim must open the malicious GIF file sent via WhatsApp · Attacker must set up a netcat listener on a specified port
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec SUSPICIOUS 25 stars
by kal1gh0st · poc
https://github.com/kal1gh0st/WhatsAppHACK-RCE

The repository claims to exploit CVE-2019-11932 but contains no functional exploit code. Instead, it includes a CPA landing page template for monetization and vague references to WhatsApp hacking without technical details.

Classification
Suspicious 90%
Attack Type
Other
Complexity
Theoretical
Reliability
Theoretical
Target: WhatsApp
No auth needed
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 17 stars
by fastmo · poc
https://github.com/fastmo/CVE-2019-11932

This repository contains a functional exploit for CVE-2019-11932, targeting a heap-based buffer overflow in the GIF library (egif_lib.c). The exploit leverages crafted GIF data to achieve remote code execution (RCE) via memory corruption and ROP gadgets.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: GIF library (giflib) versions affected by CVE-2019-11932
No auth needed
Prerequisites: Target application using vulnerable giflib version · Ability to deliver malicious GIF file to target
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 16 stars
by mRanonyMousTZ · poc
https://github.com/mRanonyMousTZ/CVE-2019-11932-whatsApp-exploit

This repository contains a functional exploit for CVE-2019-11932, a WhatsApp vulnerability that allows remote code execution via a maliciously crafted GIF file. The exploit generates a corrupted GIF file that, when sent and viewed in WhatsApp, triggers a heap-based buffer overflow.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: WhatsApp (versions affected by CVE-2019-11932)
No auth needed
Prerequisites: Address of system() and gadget must be replaced via an information disclosure vulnerability
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 6 stars
by SmoZy92 · poc
https://github.com/SmoZy92/CVE-2019-11932

This repository contains a functional exploit for CVE-2019-11932, a WhatsApp GIF RCE vulnerability. The exploit generates a malicious GIF file that triggers a heap-based buffer overflow, leading to remote code execution via a reverse shell payload.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: WhatsApp (versions 2.19.230 and below)
No auth needed
Prerequisites: Victim must open the malicious GIF file in WhatsApp · Attacker must have a listener (netcat) set up to receive the reverse shell
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 4 stars
by TulungagungCyberLink · poc
https://github.com/TulungagungCyberLink/CVE-2019-11932

This repository contains a functional exploit PoC for CVE-2019-11932, a double-free vulnerability in WhatsApp. The exploit generates a malicious GIF file that, when sent to a victim, triggers a double-free condition leading to remote code execution (RCE) via a reverse shell.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: WhatsApp (specific version not specified)
No auth needed
Prerequisites: Victim must open the malicious GIF file in WhatsApp · Attacker must have a listener set up to receive the reverse shell
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WRITEUP 4 stars
by infiniteLoopers · poc
https://github.com/infiniteLoopers/CVE-2019-11932

This repository contains a detailed technical analysis of CVE-2019-11932, a double-free vulnerability in WhatsApp's GIF parsing library (libpl_droidsonroids_gif) that leads to remote code execution. The writeup includes root cause analysis, exploit steps, and patch details.

Classification
Writeup 95%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: WhatsApp for Android (versions before 2.19.244)
No auth needed
Prerequisites: Attacker must send a maliciously crafted GIF file to the victim · Victim must open the WhatsApp Gallery to trigger the vulnerability
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 4 stars
by JasonJerry · poc
https://github.com/JasonJerry/WhatsRCE

This repository contains a functional exploit for CVE-2019-11932, a WhatsApp remote code execution vulnerability. The exploit generates a malicious GIF file that, when sent to a victim and opened, triggers a buffer overflow leading to arbitrary command execution via a reverse shell.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: WhatsApp (versions prior to 2.19.244)
No auth needed
Prerequisites: Victim must open the malicious GIF file in WhatsApp · Attacker must have a listener set up for the reverse shell
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 1 stars
by tucommenceapousser · poc
https://github.com/tucommenceapousser/CVE-2019-11932deta

This repository contains a functional exploit for CVE-2019-11932, targeting a heap-based buffer overflow in the WhatsApp image parsing library. The exploit crafts a malicious GIF file to achieve remote code execution (RCE) by leveraging a gadget and system() function call to execute arbitrary commands.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: WhatsApp (specific version affected by CVE-2019-11932)
No auth needed
Prerequisites: Ability to send a malicious GIF file to the target WhatsApp user
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC 1 stars
by tucommenceapousser · poc
https://github.com/tucommenceapousser/CVE-2019-11932

This repository contains a functional exploit PoC for CVE-2019-11932, a double-free vulnerability in WhatsApp. The exploit generates a malicious GIF file that triggers remote code execution via a crafted payload, leveraging memory corruption to execute arbitrary commands.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: WhatsApp (specific version not specified)
No auth needed
Prerequisites: Victim must open the malicious GIF file in WhatsApp
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec STUB 1 stars
by Tabni · poc
https://github.com/Tabni/https-github.com-awakened1712-CVE-2019-11932

The repository contains only a minimal README with a CVE reference and no functional exploit code or technical details. It appears to be a placeholder or stub.

Classification
Stub 90%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: unknown
No auth needed
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec STUB 1 stars
by zxn1 · poc
https://github.com/zxn1/CVE-2019-11932

The repository contains only a README.md file with minimal content (just the CVE identifier) and no exploit code or technical details. It appears to be a placeholder or stub.

Classification
Stub 100%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: unknown
No auth needed
devstral-2 · analyzed Feb 18, 2026 Full analysis →
gitlab WORKING POC
by gavz · poc
https://gitlab.com/gavz/CVE-2019-11932

This repository contains a functional exploit for CVE-2019-11932, a double-free vulnerability in WhatsApp. The exploit generates a malicious GIF file that, when sent to a victim, triggers a double-free condition leading to remote code execution (RCE) via a reverse shell.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: WhatsApp (specific version not specified)
No auth needed
Prerequisites: Attacker needs to send the crafted GIF file to the victim · Victim must open the GIF file in WhatsApp
devstral-2 · analyzed Feb 23, 2026 Full analysis →
gitlab WORKING POC
by mdelaclaire · poc
https://gitlab.com/mdelaclaire/CVE-2019-11932deta

This repository contains a functional exploit for CVE-2019-11932, targeting a heap-based buffer overflow in the WhatsApp image parsing library. The exploit crafts a malicious GIF file to achieve remote code execution (RCE) via a reverse shell payload.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: WhatsApp (specific version affected by CVE-2019-11932)
No auth needed
Prerequisites: Target must process the malicious GIF file
devstral-2 · analyzed Feb 23, 2026 Full analysis →
nomisec STUB
by 0759104103 · poc
https://github.com/0759104103/cd-CVE-2019-11932

The repository contains only a README.md file with a title and no functional exploit code or technical details. It appears to be a placeholder or stub repository.

Classification
Stub 90%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: unknown
No auth needed
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WRITEUP
by k3vinlusec · poc
https://github.com/k3vinlusec/WhatsApp-Double-Free-Vulnerability_CVE-2019-11932

This repository contains a technical analysis of CVE-2019-11932, a double-free vulnerability in WhatsApp, with a focus on dynamic debugging using GEF-GDB. It explains how the exploit works but does not include functional exploit code.

Classification
Writeup 90%
Attack Type
Rce
Complexity
Complex
Reliability
Theoretical
Target: WhatsApp (version not specified)
No auth needed
Prerequisites: Debugging environment (GEF-GDB) · Vulnerable WhatsApp version
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by primebeast · poc
https://github.com/primebeast/CVE-2019-11932

This repository contains a functional exploit for CVE-2019-11932, targeting a heap overflow vulnerability in the GIF library (gif_lib). The exploit includes crafted GIF data to trigger the vulnerability and achieve remote code execution (RCE) via a JNI-based payload.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Complex
Reliability
Reliable
Target: GIF library (gif_lib) in Android applications
No auth needed
Prerequisites: Vulnerable Android application using the affected GIF library · Ability to deliver a malicious GIF file to the target
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WORKING POC
by starling021 · poc
https://github.com/starling021/CVE-2019-11932-SupportApp

This repository contains a functional PoC for CVE-2019-11932, a WhatsApp GIF RCE vulnerability. The native code calculates the system() function and ROP gadget addresses for exploitation, demonstrating the vulnerability's technical mechanics.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: WhatsApp (specific version not specified)
No auth needed
Prerequisites: Target device with vulnerable WhatsApp version · Ability to deliver malicious GIF file
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (9)

Core 9
Core References
Third Party Advisory x_refsource_confirm
https://www.facebook.com/security/advisories/cve-2019-11932
Third Party Advisory x_refsource_confirm
https://github.com/koral--/android-gif-drawable/pull/673
Exploit, Third Party Advisory x_refsource_misc
https://awakened1712.github.io/hacking/hacking-whatsapp-gif-rce/
Mailing List, Third Party Advisory mailing-list x_refsource_fulldisc
http://seclists.org/fulldisclosure/2019/Nov/27

Scores

CVSS v3 8.8
EPSS 0.7096
EPSS Percentile 98.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE
CWE-415
Status published
Products (3)
android-gif-drawable_project/android-gif-drawable < 1.2.18
pl.droidsonroids.gif/android-gif-drawable 0 - 1.2.18Maven
whatsapp/whatsapp < 2.19.244
Published Oct 03, 2019
Tracked Since Feb 18, 2026