Description
The calling logic for WhatsApp for Android prior to v2.21.23, WhatsApp Business for Android prior to v2.21.23, WhatsApp for iOS prior to v2.21.230, WhatsApp Business for iOS prior to v2.21.230, WhatsApp for KaiOS prior to v2.2143, WhatsApp Desktop prior to v2.2146 could have allowed an out-of-bounds write if a user makes a 1:1 call to a malicious actor.
References (1)
Core 1
Core References
Not Applicable, Vendor Advisory x_refsource_confirm
https://www.whatsapp.com/security/advisories/2021/
Scores
CVSS v3
9.8
EPSS
0.0050
EPSS Percentile
66.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-122
CWE-787
Status
published
Products (4)
whatsapp/whatsapp
< 2.21.23 (2 CPE variants)
whatsapp/whatsapp
< 2.21.230 (2 CPE variants)
whatsapp/whatsapp
< 2.2143
whatsapp/whatsapp
< 2.2146
Published
Jan 04, 2022
Tracked Since
Feb 18, 2026