CVE-2020-1907
CRITICALWhatsApp < 2.20.90 and WhatsApp Business < 2.20.90 - Remote Code Execution via RTP Extension Header Parsing
Title source: llmDescription
A stack overflow in WhatsApp for Android prior to v2.20.196.16, WhatsApp Business for Android prior to v2.20.196.12, WhatsApp for iOS prior to v2.20.90, WhatsApp Business for iOS prior to v2.20.90, and WhatsApp for Portal prior to v173.0.0.29.505 could have allowed arbitrary code execution when parsing the contents of an RTP Extension header.
References (1)
Core 1
Core References
Vendor Advisory x_refsource_confirm
https://www.whatsapp.com/security/advisories/2020/
Scores
CVSS v3
9.8
EPSS
0.0189
EPSS Percentile
77.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-787
Status
published
Products (5)
whatsapp/whatsapp
< 173.0.0.29.505
whatsapp/whatsapp
< 2.20.196.16
whatsapp/whatsapp
< 2.20.90
whatsapp/whatsapp_business
< 2.20.196.12
whatsapp/whatsapp_business
< 2.20.90
Published
Oct 06, 2020
Tracked Since
Feb 18, 2026