CVE-2020-1907

CRITICAL

WhatsApp < 2.20.90 and WhatsApp Business < 2.20.90 - Remote Code Execution via RTP Extension Header Parsing

Title source: llm
STIX 2.1

Description

A stack overflow in WhatsApp for Android prior to v2.20.196.16, WhatsApp Business for Android prior to v2.20.196.12, WhatsApp for iOS prior to v2.20.90, WhatsApp Business for iOS prior to v2.20.90, and WhatsApp for Portal prior to v173.0.0.29.505 could have allowed arbitrary code execution when parsing the contents of an RTP Extension header.

References (1)

Core 1
Core References
Vendor Advisory x_refsource_confirm
https://www.whatsapp.com/security/advisories/2020/

Scores

CVSS v3 9.8
EPSS 0.0189
EPSS Percentile 77.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-787
Status published
Products (5)
whatsapp/whatsapp < 173.0.0.29.505
whatsapp/whatsapp < 2.20.196.16
whatsapp/whatsapp < 2.20.90
whatsapp/whatsapp_business < 2.20.196.12
whatsapp/whatsapp_business < 2.20.90
Published Oct 06, 2020
Tracked Since Feb 18, 2026